SOC Basics: 1, 2, and 3
For many companies, their first introduction to SOC comes at a critical junction - you are chatting with your biggest prospect yet, they love the product, they want to move forward. This will be HUGE for the company - the sales team is ecstatic, the investors will breathe a sigh of relief, the executive team feels like the startup journey was all worth it. Things are going well until…the dreaded procurement process. Compliance requires a “SOC report” and Legal won’t let you redline it. If a customer, investor, or vendor risk team has asked you for a “SOC report,” the first question is usually, which one? Here's a plain-English breakdown of the types of SOC reports:
SOC 1, 2, & 3:
SOC 1: Controls Over Financial Reporting
SOC 1 reports address controls that are relevant to a user entity's financial statements. Think payroll processors, fund administrators, or any vendor whose systems feed into a customer’s accounting system. Auditors of your customer's financial statements will rely on your SOC 1 report to get comfortable that your controls won’t introduce risk or cause miscalculations or misstatements in the financial statements.
SOC 2: Controls Over Security (and more)
SOC 2 is more broadly applicable, as it can be requested of any company that obtains, stores, or processes sensitive data on behalf of the customer (or the customer’s customer). SOC 2 is also applicable to companies whose customers rely on them for business operations. Examples include cloud hosting providers, enterprise SaaS, healthtech, fintech, and AI companies. The SOC 2 is based on a standard set of requirements, the Trust Services Criteria. All SOC 2 reports address a base set of security requirements, and companies can elect to include additional requirements for availability, processing integrity, confidentiality, and privacy based on customer requirements and relevance.
SOC 3: The Public-Facing Version
SOC 1 and 2 reports are restricted-use - shared with customers, prospects, and vendors selectively and not published publicly. For customers that have undergone a SOC 2, a SOC 3 report can be obtained to serve as marketing collateral. It covers the same Trust Services Criteria as SOC 2, but it’s a shortened general-use report with no detailed control descriptions or test results. Companies post SOC 3 reports on their websites or marketing pages as a trust signal. SOC 3 is a low-cost add-on to SOC 2, and can be a great option for customers with frequent website visitors seeking validation of security.
Type I & II:
Both SOC 1 and SOC 2 reports have two “types”:
Type I includes a test of design of controls (aka a “test of one”) as of a specific date. It is the fastest path to a SOC report and is often the first report a company will issue.
Type II covers a review period and tests whether controls actually operated effectively during that time frame. This is the ultimate goal. A company’s first SOC report can be over a shortened time frame (3 to 6 months, for example) to receive a report sooner, but ultimately you’ll want to do annual SOC 1 or 2 Type II reports.
Here’s an example of how testing of one control would differ between a Type I and Type II report: For a Type I, we would ask for one recent example of a background check being executed for a new employee. Example checked, looks good, control passed. For a Type II, we would request a list of all new hires during the reporting period (the time frame the report covers) and pick a random sample of new employees. We’d ask for evidence of background checks for that sample and test each. One of the hardest parts about Type II that people don’t realize is that they may be asked for evidence that sometime happened up to a year prior - without solid documentation, this can be a really painful process. This is one of the key reasons we like to start with Type I as a “trial run”.
Which One Do You Actually Need?
If a customer’s auditor is asking about your role in their financial statement close, you likely need SOC 1. If customers or prospects are asking about your security and data handling practices as part of vendor risk assessments, that's SOC 2. Some (unlucky) companies need both. All customers expect you to eventually obtain a Type II report, but most customers will accept a Type I as a stepping stone to the Type II. If you want a public trust badge without disclosing control details, layer SOC 3 on top of an existing SOC 2. If this sounds overly complicated - you aren’t alone (so thank goodness Eye & Co is here to help). If you are unsure what you need, or if you think you are being asked for a report that doesn’t make sense - let’s chat. We’ll help you decide what’s appropriate and if needed, help you come up with talking points if you are being asked for a report that isn’t relevant to you.