SOC reports are part of the SSAE reporting format created by the American institute of certified public accounts (AICPA). These are uniformly recognised as being acceptable for regulatory purposes in many industries, although they were specifically designed as mechanisms for ensuring compliance with the Sarbanes-Oxley Act (colloquially referred to as SOX) which governs publicly traded corporations.
There are three categories: SOC 1, 2 and 3.
Each of them is mean for a specific purpose, and there are further sub-classes of reports (called types) as well.
SOC 1 reports are designed for service providers who have a significant impact on the financial reporting of their customers. These reports aim to ensure that the service provider's controls are functioning correctly and accurately, thus decreasing the risk of errors and fraudulent activities in their clients' financial statements. SOC 1 reports are intended to be used by auditors of the service provider's customers.
SOC 1 reports are strictly for auditing the financial reporting instruments of a corporation and therefore aren’t a focus in most cloud provider audits. It’s worth knowing they exist and that are two subclasses of SOC 1, Type 1 and 2.
SOC 2 reports are designed for service providers who store, process, or transmit sensitive data for their customers. These reports evaluate the service provider's controls related to security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are intended to be used by the service provider's customers, their auditors, and other relevant stakeholders.
SOC 2 reports also come in two types: Type 1 and Type 2. The SOC 2 type 1 only reviews the design of controls, not how they are implemented and maintained or their function. Thus, the SOC 2 type 1 report is not extremely useful for determining the security and trust of an organisation.
A Type 1 report evaluates the design of the service provider's controls at a specific point in time. This report provides an understanding of the controls that are in place and whether they are suitably designed to achieve the control objectives. It is intended to be used by auditors of the service provider's customers.
A Type 2 report evaluates the operating effectiveness of the service provider's controls over a specified period of time (usually six months to a year). This report provides an understanding of whether the controls are operating effectively in practice. It is intended to be used by auditors of the service provider's customers.
To summarise, the main difference between Type 1 and Type 2 reports is that the former evaluates the design of the controls, while the latter evaluates the operating effectiveness of the controls over a period of time.
SOC 3 reports are designed for service providers who want to showcase their adherence to the Trust Services Criteria to their customers and the public. These reports provide a high-level overview of the service provider's controls related to security, availability, processing integrity, confidentiality, and privacy, but without the level of detail provided in SOC 2 reports. SOC 3 reports are intended to be used by a wide range of stakeholders, including potential customers, regulators, and investors.
SOC 3 reports are designed to be shared with the public. They contain no actual data about the security of controls of the audit target and are instead just an assertion that the audit was conducted and that the organisation passed.