DEFINING SOC

For starters, SOC is a system of service organization controls. SOC stands for “system and organization controls,” and the controls are a series of standards designed to help measure how well a given service organization conducts and regulates its information. The purpose of SOC standards is to provide confidence and peace of mind for organizations when they engage third-party vendors. A SOC-certified organization has been audited by an independent certified public accountant who determined the firm has the appropriate SOC safeguards and procedures in place. 

SOC concerns the internal controls in place at the third-party service organization. For a company to receive SOC certification, it must have sufficient policies and strategies that satisfactorily protect clients’ data.

SOC 1, SOC 2, and SOC 3 certifications all require a service organization to display controls regulating their interaction with clients and client data. Note that SOC levels indicate differences both in the purview of the certification and in the intended audience for the reports.

• SOC 1 reports on the service organization’s controls related to its clients’ financial reporting.
• SOC 2 reports build on the financial reporting basis of SOC 1 and also require standard operating procedures for organizational oversight, vendor management, risk management, and regulatory oversight. A SOC 2-certified service organization is appropriate for businesses whose regulators, auditors, compliance officers, business partners, and executives require documented standards.
• SOC 3 reports are a simplified version of SOC 2 reports, requiring less formalized documentation. SOC 3 reporting is appropriate for businesses with less regulatory oversight concerns.