What are SOC 1, SOC 2 and SOC 3 Reports?
- SOC 1 Report (Type II)
Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SSAE-18) – This report is used by customers undergoing financial statement audits and those who require compliance with the Sarbanes-Oxley Act or similar regulation. It reports on the effectiveness of controls in achieving stated objectives throughout a specified period and was formerly known as SAS 70. Receipt of this report requires execution of a mutual non-disclosure agreement and is available from an account manager.
- SOC 2 + HITRUST CSF Report (Type II)
Report on Controls at a Service Organization Relevant to Security, Availability and Confidentiality – This report is used by customers who require confidence in the critical business processes and procedures to complement compliance with the Health Information Portability and Accountability Act (HIPAA), Payment Card Industry Digital Security Standard (PCI-DSS), and other industry or government regulations with relevant requirements. Receipt of this report requires execution of a mutual non-disclosure agreement and is available from an account manager.
The American Institute for Certified Public Accountants (AICPA) has partnered with the HITRUST Alliance to develop a single illustrative SOC 2 + HITRUST CSF report that incorporates all relevant criteria into a single control attestation. This framework supports the Health Insurance Portability and Accountability Act (HIPAA). Receipt of this report requires execution of a mutual non-disclosure agreement; the NDA and report are available from an Expedient account manager.
- SOC 3 Report
Trust Service Report for Organizations – This report is used by prospective and current customers as a general overview of controls related to certain processes and procedures. Receipt of this report requires acceptance of our terms and conditions and is available for download.
Expedient SOC reports use the National Institute of Standards and Technology (NIST) Special Publications control framework, including NIST SP 800-53. More information about SOC reporting is available from the American Institute of Certified Public Accountants (AICPA).