SOC® Reports

What is a SOC Report?

System and Organization Controls (SOC) reports allow service providers to demonstrate that they are operating in an ethical and compliant manner. Used by SaaS vendors, cloud service providers, data center and colocation providers, payroll processors, third-party administrators, healthcare organizations, and service organizations in a variety of other verticals, SOC reports establish credibility and trustworthiness for user entities and internal stakeholders. Because the reports demonstrate a high level of commitment to information security, they can help you create a competitive advantage that is well worth the time and resources.

360 Advanced SOC Reports Services


A SOC 1 report, as defined by the American Institute of Certified Public Accountants (AICPA), is a “Report on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting.” This type of report provides independent assurance that your internal controls affecting your customers’ financial reporting are appropriately designed and implemented.


A SOC 2 report is an attestation that provides an opinion on the design and effectiveness of your operational controls. SOC 2 reports are based on the five AICPA Trust Services Categories; every SOC 2 report covers Security, and you can choose to include Availability, Processing Integrity, Confidentiality and/or Privacy based on your organization’s needs.


A SOC 3 report is based on a SOC 2 Type 2 report. However, while SOC 2 reports can only be shared with a limited audience, a SOC 3 report can be shared publicly. In a SOC 3 report, confidential information is redacted to make it appropriate for general use. These reports are most commonly used to support sales and marketing efforts.

Our Approach to SOC Reporting

Your SOC report should support your organization’s unique needs – as well as your customers’ expectations. Our team will help you determine the most appropriate scope for your examination. Your SOC report can cover:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy
  • Controls related to financial reporting
  • Controls related to cybersecurity
  • Controls related to supply chain operations


We can also include additional information about procedures that fall outside the traditional subject matter of a SOC report. You can discuss any additional procedures with your auditor during the scoping process.

Once you’ve decided what information to include in your report, you will need to decide if you should start with a Readiness Assessment or move directly into a formal SOC examination. If this is your first SOC examination, a Readiness Assessment can help you identify gaps in your controls. From there, we provide tailored feedback for you to utilize in your remediation plan.

For your formal examination, your team will develop a description of your system elements; collect documentation; and schedule on-site testing (virtual or in-person). Our team can guide you through the entire process, helping you create a detailed project plan that will keep your engagement on track.


Learn More about an Integrated Compliance Strategy with our Guide

Integrating your compliance needs into one strategy can save your business time and money. Download our free guide to find out how.


Prev Arrow
Next Arrow

Begin your SOC Examination today!

Looking for support with SOC 1, SOC 2 or SOC3? We’re here for you!
Fill out the contact form, and within 24 hours, our team will provide the expert guidance you need.

360 Cyber Resources

Explore a wealth of knowledge in our client stories, insightful blogs, cutting-edge white papers, and the latest press releases—your gateway to a repository of expertise and industry insights.