Security & Compliance Blog

Stay informed on changing compliance regulations

Get A Fixed Fee Quote Today Request a Free Quote

SOC 1, SOC 2, SOC 3 Reports & Assessments Overview - 7 Things you need to Know

AICPA SOC 1, SOC 2, and SOC 3 reports & assessments are becoming increasingly more common in today’s business arena as service organizations now effectively have three distinct reporting options to choose from. With a global economy that’s becoming more efficient, scalable – and extremely reliant on technology – SOC reports & assessments are now being performed on thousands of businesses throughout the world as customers are demanding assurances of a service organization’s internal controls. And with the increased use and application of technology, expect SOC reports – particularly SOC 2 and SOC 3 – to continue to grow in adoption by the likes of data centers, cloud vendors, managed services providers, ISP’s, and many other technology oriented businesses. It’s a SOC world for sure, so here’s what you need to know about SOC 1, SOC 2, and SOC 3 reports, courtesy of NDNB Accountants & Consultants, LLP.

SOC 1, SOC 2, SOC 3 Reports & Assessments – 7 Essential Things to Know

1. it’s a SOC world after all. The all new SOC (Service Organization Control) platform represents a monumental shift initiated by the American Institute of Certified Public Accountants (AICPA). In an effort to modernize and take a more global approach to service organization reporting, the aging SAS 70 auditing platform has been replaced in favor of SSAE 16, under the umbrella of the SOC framework. Within this framework are three reporting options---SOC 1, SOC 2 and SOC 3. The ISAE 3402 reporting option serves as an international equivalent to SSAE 16, which is the de facto standard for compliance reporting. Thus, for companies exhibiting a true nexus to the ICFR concept, SSAE 16 SOC 1 is now available.

As for SOC 2 and SOC 3, it’s geared towards companies in the technology space – the likes of data centers, cloud computing (SaaS, PaaS, and IaaS), software development entities, and others. And in today’s digitally driven world where technology continues to permeate our lives, both personally and professionally, SOC 2 is becoming a well-known professional assessment standard that’s being embraced by every conceivable business industry/sector throughout North America and the globe. Call and speak with CPA Christopher Nickell at 1-800-277-5415, ext. 706 today to learn more, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. to obtain a fixed-fee quote.

2. SOC 1 is here. With the retirement of SAS 70, SOC 1 has emerged as the new champion. As we have already alluded to, SOC 1 offers multiple reporting options in conjunction with the SSAE 16 professional standard; this results in the issuance of Type 1 and Type 2 reports. Although SSAE 16 reports are technically designed for reporting on controls within service organizations who have a true nexus with a concept known as ICFR (Internal Control over Financial Reporting), the SSAE 16 standard continues to attract a wide array of third-party entities.

3. SOC 2 is slowly emerging. The upgrade from SAS 70 signaled a changing of the guard, and with this change came more meaningful and flexible reporting options; hence, the expanded offerings from the new standard. Compared to SOC 1 SSAE 16 reporting, SOC 2 is also being utilized in widespread fashion. However, SOC 2---which is commonly used for technology based service organizations (cloud computing entities, data centers, etc.)---is emerging as a legitimate alternative. This trend will only gain momentum as interested parties become more aware of SOC 2’s true value. Meanwhile, AT 101 serves as the professional standard for SOC 2 reports, much like SSAE 16 does for SOC 1.

SOC 2 reporting incorporates the Trust Service Principles (TSP), which are:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

4. SOC 3 is an option also. SOC 3 shares several similarities with SOC 2. Both reporting options utilize the Trust Service Principles, both issue reports under the AT 101 professional standard, and both are increasing in recognition and usage. Either of these reporting options serves as a viable alternative to SOC 1. However, despite lacking the technical depth of SOC 2 reporting, SOC 3 offers SysTrust and WebTrust seals that can be issued and showcased as validation of compliance.

5. Policies and procedures are necessary for SOC compliance. In the world of regulatory compliance, policies and procedures need to be developed and followed! Information security policies and procedural documentation are just a few examples of the multitudes of categories where these controls are necessary, so don’t forget! One of the advantages of working with NDNB is we offer a comprehensive SOC 1 and SOC 2 Policy Packets containing all essential information security policies, procedures, and other supporting documentation for helping ensure all necessary materials are developed for the respective audits you’ll be performing.

Remember something very important; auditors WILL ask for your policies and procedures – it’s often tops on the list – so instead of spending hundreds of hours and thousands of dollars on policy writing consultants, just use our templates. To learn more about NDNB's SSAE 16 reporting services and our competitive, fixed-fee pricing, contact Christopher G. Nickell, CPA. He can be contacted at 1-800-277-5415, ext. 706 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

7. Create an Asset Inventory. What’s one of the best ways for protecting your overall I.T. landscape? Knowing exactly what information systems you have in place, where they are logically/physically located, along with other important considerations. Because of this, every business should have in place a comprehensive asset inventory list that lists all of their I.T. assets – networking devices, servers, laptops, and all other devices. Such a list also tremendously aids in the overall SOC audit process as auditor are seeking to assess a sample of your I.T. systems, therefore require a list to choose from.

NDNB – North America’s Leading Provider of SOC 1, SOC 2, and SOC 3 Assessments

The complex business environment in today’s world is also becoming increasingly challenging as organizations are faced with growing regulatory compliance mandates. Competition is everywhere, and now you have to find the time and money for performing annual SOC 1, SOC 2, and SOC 3 assessments. The solution for easing the pain of compliance audits is to talk to the proven and trusted professionals at NDNB, providers of high-quality, fixed-fee assessments. We’ve been in the regulatory compliance business for years, and we can help you navigate the sometimes rough waters of SOC 2 compliance. From scoping & readiness assessments to policy writing and more, NDNB offers a complete lifecycle of services and solutions for the AICPA Service Organization Control (SOC) reporting platform.

Additionally, NDNB offers numerous other compliance reporting services for PCI DSS, HIPAA, GLBA, FISMA, DFARS, Regulation AB, and much more. All of our services are performed by licensed professionals with years of compliance expertise. Lastly, our fixed-fee pricing philosophy – one of NDNB’s signature offerings – applies to all of our services. Call and speak with Christopher Nickell, CPA, at 1-800-277-5415, ext. 706 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

SOC 2 Audits & Reports for Houston, TX Businesses
SOC 2 Type 1 & Type 2 Audit Reports | Los Angeles,...
Since 2006, NDNB has been setting the standard for security & compliance regulations