SOC 2 examinations are often requested for:
- SaaS, infrastructure as a service (IaaS), and platform as a service (PaaS)
- Cloud-based providers
- Data centers and colocation facilities
- IT-managed services companies
- IT-hosted services
- Business intelligence software
Types of SOC 2
Similar to a SOC 1 report, there are two types within SOC 2:
- Type 1. Assesses management’s description of a service provider’s system and the suitability of the design of controls.
- Type 2. Assesses management’s description of a service provider’s system and the suitability of the design and operating effectiveness of controls.
Like SOC 1 examination reports, SOC 2 examination reports can be distributed only to management; current and prospective customers, or user entities; practitioners providing services to such user entities; and regulators.
SOC 3 reports are essentially a smaller-scale SOC 2 report and used primarily for public distribution.
While demand is lower for these reports, the public distribution element can be compelling for companies as the use of a SOC 3 report isn’t restricted.
SOC 3 covers the same subject matter as a SOC 2 report, but with some key differences:
- Designed for users who want assurance on the controls at a service organization but don’t need or possess the knowledge necessary to make effective use of a SOC 2 report, resulting in a less detailed description of the system
- Doesn’t include a description of the service auditor’s tests of controls and results
Companies generally must complete a SOC 2 examination before requesting a SOC 3 report, but the SOC 3 report can be issued concurrently with the SOC 2 report.
How the SOC Process Works
Once a preliminary readiness assessment is complete, a timeline can be developed for the engagement based on the assessment results.