Information Technology Compliance: Service Organization Control (SOC) Reporting

SOC reports offer a confirmation of services provided by a service organization including information that users need to assess and address the risks associated with an outsourced service. They are designed to help Information Technology service organizations build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant.

What are SOC 1, SOC 2 and SOC 3 Reports?

  • SOC 1 Report (Type II)
    Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SSAE-18) – This report is used by customers undergoing financial statement audits and those who require compliance with the Sarbanes-Oxley Act or similar regulation. It reports on the effectiveness of controls in achieving stated objectives throughout a specified period and was formerly known as SAS 70. Receipt of this report requires execution of a mutual non-disclosure agreement and is available from an account manager.
  • SOC 2 + HITRUST CSF Report (Type II)
    Report on Controls at a Service Organization Relevant to Security, Availability and Confidentiality – This report is used by customers who require confidence in the critical business processes and procedures to complement compliance with the Health Information Portability and Accountability Act (HIPAA), Payment Card Industry Digital Security Standard (PCI-DSS), and other industry or government regulations with relevant requirements. Receipt of this report requires execution of a mutual non-disclosure agreement and is available from an account manager.

    The American Institute for Certified Public Accountants (AICPA) has partnered with the HITRUST Alliance to develop a single illustrative SOC 2 + HITRUST CSF report that incorporates all relevant criteria into a single control attestation. This framework supports the Health Insurance Portability and Accountability Act (HIPAA). Receipt of this report requires execution of a mutual non-disclosure agreement; the NDA and report are available from an Expedient account manager.
  • SOC 3 Report
    Trust Service Report for Organizations – This report is used by prospective and current customers as a general overview of controls related to certain processes and procedures. Receipt of this report requires acceptance of our terms and conditions and is available for download.

Expedient SOC reports use the National Institute of Standards and Technology (NIST) Special Publications control framework, including NIST SP 800-53. More information about SOC reporting is available from the American Institute of Certified Public Accountants (AICPA).

The best of Expedient delivered to your inbox.

Sign up for more technical briefs, stories, and special offers from Expedient.

Big Picture
December 12th, 2024 at 1:00 PM ET

Big Picture: Putting 2024 in Perspective

Join us

Big Picture

December 12th, 2024 at 1:00 PM ET

Big Picture: Putting 2024 in Perspective

Join us