Back to SOC 2

What is a SOC report? SOC 1, SOC 2, and SOC 3 explained for vendors and buyers

Photo: Unsplash

A SOC report (System and Organization Controls) is issued by an independent CPA firm after examining controls at a service organization—companies that provide outsourced services affecting their customers’ financial reporting, security, or operations.

Related: SOC 1, 2, and 3 guide · Collection


Key takeaways

  • SOC reports are attestations, not ISO-style certificates.
  • SOC 1 focuses on financial reporting controls; SOC 2 on security/availability/etc.; SOC 3 is a public summary of SOC 2–style controls.
  • Reports are usually restricted (NDA) except SOC 3 general-use reports.
  • Buyers use SOC reports to assess vendor risk during procurement.

What is a SOC report?

The report describes:

  • Scope of systems and services
  • Controls examined
  • Auditor testing and opinion

Standards are governed by AICPA (e.g., SSAE 18). See SSAE 16 vs SSAE 18.


SOC 1, SOC 2, and SOC 3

Report Primary audience Focus
SOC 1 Financial auditors Controls affecting customers’ financial statements
SOC 2 Security/procurement teams Trust Services Criteria (security, etc.)
SOC 3 Public marketing High-level SOC 2–aligned summary

Type 1 vs Type 2 (SOC 2)

For SOC 2:

  • Type 1: Design of controls at a point in time
  • Type 2: Design and operating effectiveness over a period

See Type 1 vs Type 2.


Disclaimer (legal note)

Report contents are confidential to intended users unless marked general use (SOC 3). Not legal advice.

Need compliance without the complexity?

SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.

No credit card required

Filed under:

Author: SecureSlate Team

4.9(409 reviews)

Keep reading

Jul 9, 2026 · TemplatesSOC 2

SOC 2 Readiness Checklist Template: Free Excel Download

Jul 5, 2026 · SOC 2

SOC 2 audit process: fieldwork, testing, and what to expect in 2026

Jul 5, 2026 · SOC 2

SOC 2 gap analysis assessment: the complete playbook to find gaps, fix them, and close enterprise deals faster

View more posts
Jamie
Virtual Agent

Hi! I'm Jamie. Curious about your current compliance challenges and how automation might help your team?