Organizations currently have a variety of third-party reporting options, raising key questions about the most effective means to convey the control environment in place to users. The American Institute of CPAs has designed multiple system and organization control (SOC) reports to communicate those controls, but organizations must understand which report can help users best assess the risks of outsourcing providers.
For example, SOC 1 reports focus on internal controls over financial reporting, with Type 1 reports assessing the design and implementation of controls as of a point in time and Type 2 reports assessing the design and implementation as well as the operating effectiveness of controls over a period of time. However, a SOC 2 or SOC 3 report may be more appropriate for users who are more interested in security, availability, processing integrity or privacy.