Service Organization Control (SOC) reports

One of the most effective ways a service organization can communicate information about its controls is through a Service Organization Control (SOC) report. A SOC 1 report focuses on controls at the service organization that would be useful to user entities and their auditors for the purpose of planning a financial statement audit of the user entity and evaluating internal control over financial reporting at the user entity.  The SOC 1 report contains the service organization's system description and an assertion from management.  In addition, the independent service auditor (i.e., CPA firm) opinion or service auditor report is included.  There are two types of SOC 1 reports: Type I and Type II.

A Type I report is intended to cover the service organization's system description at a specific point in time (e.g. June 30, 2012). A Type II report not only includes the service organization's system description, but also includes detailed testing of the service organization's controls over a minimum six month period (e.g. January 1, 20xx to June 30, 20xx) - also known as Tests of Operating Effectiveness. The contents of each type of SOC 1 report is described in the following table:

  • Report Contents

  • Type I Report

  • Type II Report

  • 1. Independent service auditor's report (i.e. opinion)
  • Included
  • Included
  • 2. Service organization's description of its system (including controls).
  • Included
  • Included
  • 3. Information provided by the independent service auditor; includes a description of the service auditor's tests of operating effectiveness and the results of those tests
  • Optional
  • Included
  • 4. Other information provided by the service organization (e.g. glossary of terms).
  • Optional
  • Included


In a Type I report, the service auditor will express an opinion and report on the subject matter provided by the management of the service organization as to (1) whether the service organization's description of its system fairly presents the service organization's system that was designed and implemented as of a specific date; and (2) whether the controls related to the control objectives stated in management's description of the service organization's system were suitably designed to achieve those control objectives - also as of a specified date.

In a Type II report, the service auditor will express an opinion and report on the subject matter provided by the management of the service organization as to (1) whether the service organization's description of its system fairly presents the service organization's system that was designed and implemented throughout the specified period; (2) whether the controls related to the control objectives stated in management's description of the service organization's system were suitably designed throughout the specified period to achieve those control objectives; and (3) whether the controls related to the control objectives stated in management's description of the service organization's system operated effectively throughout the specified period to achieve those control objectives. 

SOC 2 and SOC 3 reports are designed to allow service organizations to communicate information about their system description in accordance with specific criteria related to availability, security, and confidentiality. You can read more about SOC 2 and SOC 3 reports in the Trust Services section of this site.