What is a SOC report? SOC 1, SOC 2, and SOC 3 explained for vendors and buyers
Photo: Unsplash
A SOC report (System and Organization Controls) is issued by an independent CPA firm after examining controls at a service organization—companies that provide outsourced services affecting their customers’ financial reporting, security, or operations.
Related: SOC 1, 2, and 3 guide · Collection
Key takeaways
- SOC reports are attestations, not ISO-style certificates.
- SOC 1 focuses on financial reporting controls; SOC 2 on security/availability/etc.; SOC 3 is a public summary of SOC 2–style controls.
- Reports are usually restricted (NDA) except SOC 3 general-use reports.
- Buyers use SOC reports to assess vendor risk during procurement.
What is a SOC report?
The report describes:
- Scope of systems and services
- Controls examined
- Auditor testing and opinion
Standards are governed by AICPA (e.g., SSAE 18). See SSAE 16 vs SSAE 18.
SOC 1, SOC 2, and SOC 3
| Report | Primary audience | Focus |
|---|---|---|
| SOC 1 | Financial auditors | Controls affecting customers’ financial statements |
| SOC 2 | Security/procurement teams | Trust Services Criteria (security, etc.) |
| SOC 3 | Public marketing | High-level SOC 2–aligned summary |
Type 1 vs Type 2 (SOC 2)
For SOC 2:
- Type 1: Design of controls at a point in time
- Type 2: Design and operating effectiveness over a period
See Type 1 vs Type 2.
Disclaimer (legal note)
Report contents are confidential to intended users unless marked general use (SOC 3). Not legal advice.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
Jun 1, 2026 · SOC 2
5 tips for evaluating SOC 2 security monitoring platforms (2026 buyer guide)
SecureSlate Team
Jun 1, 2026 · SOC 2
Does your team need SOC 2 training? What to cover and how often
SecureSlate Team
Jun 1, 2026 · SOC 2
How to create a SOC 2 project plan (timeline, owners, and milestones)
SecureSlate Team
