Distinguishing SOC 1, SOC 2, SOC 3, Type 1, and Type 2 Reports
Feb 7, 2025
How SOC reports differ by control objective, intended users, Trust Services Criteria, financial statement relevance, and Type 1 versus Type 2 coverage.
On this page
SOC reports are attestation reports on controls at service organizations. They matter because user entities often outsource payroll, benefits administration, cloud hosting, payment processing, or other functions that affect financial reporting or system reliability.
The AUD exam tests two separate distinctions. First, identify whether the report is SOC 1, SOC 2, or SOC 3. Second, identify whether the report is Type 1 or Type 2.
flowchart TD
A["Service organization controls"] --> B{"User concern"}
B -- "Controls relevant to user financial statements" --> C["SOC 1"]
B -- "Security, availability, processing integrity, confidentiality, or privacy" --> D["SOC 2"]
B -- "General-use public summary of SOC 2 subject matter" --> E["SOC 3"]
C --> F{"Timing"}
D --> F
E --> F
F -- "As of a date" --> G["Type 1: design only"]
F -- "Over a period" --> H["Type 2: design and operating effectiveness"]
SOC Report Types
Report
Primary purpose
Typical users
Use restriction
SOC 1
Controls at a service organization relevant to user entities’ internal control over financial reporting.
User entities and user auditors.
Restricted use.
SOC 2
Controls relevant to Trust Services Criteria such as security, availability, processing integrity, confidentiality, and privacy.
Management, customers, business partners, regulators, and other specified users.
Restricted use.
SOC 3
General-use report related to SOC 2 subject matter, with less detail.
Broad public users.
General use.
SOC 1 is about financial statement audit relevance. SOC 2 is about trust services controls. SOC 3 is the public-facing, less detailed version tied to SOC 2-type criteria.
SOC 1 Reports
A SOC 1 report helps user auditors understand controls at a service organization that may affect a user entity’s financial statements. Payroll processors, claims processors, loan servicers, and transaction processors are common examples.
User auditors use SOC 1 reports to:
Understand outsourced processes relevant to the audit.
Identify controls at the service organization.
Evaluate whether complementary user entity controls are needed.
Decide whether the report supports reduced control testing at the service organization.
Consider whether additional procedures are needed for user-entity audit risks.
A SOC 1 report does not provide assurance over general cybersecurity unless those controls are relevant to user financial reporting.
SOC 2 and SOC 3 Reports
SOC 2 reports address controls using the Trust Services Criteria. Security is common to all SOC 2 reports; availability, processing integrity, confidentiality, and privacy may be included when relevant to the service commitment.
Trust Services area
Typical concern
Security
Systems are protected against unauthorized access and related risks.
Availability
Systems are available for operation and use as committed.
Processing integrity
System processing is complete, valid, accurate, timely, and authorized.
Confidentiality
Confidential information is protected as committed.
Privacy
Personal information is collected, used, retained, disclosed, and disposed of according to commitments and criteria.
SOC 3 reports cover similar subject matter at a higher level and are designed for general distribution. They do not provide the same detailed control descriptions and test results that user entities receive in a SOC 2 report.
Type 1 vs. Type 2
Type 1 and Type 2 are timing and evidence distinctions, not SOC 1 versus SOC 2 distinctions.
Report timing
What it covers
Exam phrase
Type 1
Description of the system and suitability of control design as of a specified date.
“As of” a date; design only.
Type 2
Description of the system, suitability of control design, and operating effectiveness over a specified period.
“Throughout the period”; design and operating effectiveness.
If a user auditor wants evidence that controls operated effectively during the audit period, Type 2 is usually more useful than Type 1.
Complementary Controls and Subservice Organizations
SOC reports often identify controls that must exist outside the service organization.
Concept
Meaning
Complementary user entity controls
Controls the user entity must operate for the service organization’s controls to achieve the stated objectives.
Complementary subservice organization controls
Controls expected at another service provider used by the service organization.
Carve-out method
Subservice organization controls are excluded from the report scope, but related complementary controls may be described.
Inclusive method
Subservice organization controls are included in the report scope.
The user auditor cannot rely on a SOC report mechanically. The auditor must consider whether complementary controls at the user entity are designed and operating.
Choosing the Right SOC Report
Fact pattern
Best answer
Payroll service processes payroll amounts that feed user financial statements
SOC 1
Cloud provider wants to show customers controls over security and availability
SOC 2
Service organization wants a public, high-level report for marketing and general users
SOC 3
User auditor needs operating effectiveness evidence over the year
Type 2
User only needs whether controls were suitably designed at a point in time
Type 1
The exam trap is choosing SOC 2 simply because a system is computerized. If the outsourced system affects user financial statements, SOC 1 may be the relevant report for the user auditor.
Exam Traps
SOC 1 relates to user entities’ financial statement audits.
SOC 2 relates to Trust Services Criteria, not GAAP financial statement assertions.
SOC 3 is general use and less detailed than SOC 2.
Type 1 is as of a date; Type 2 covers a period.
Type 2 includes operating effectiveness; Type 1 does not.
Complementary user entity controls still matter.
A SOC report does not eliminate all audit procedures at the user entity.
Quick Review
Use this sequence for SOC questions:
Identify the user need: financial reporting, trust services controls, or public summary.
Select SOC 1, SOC 2, or SOC 3.
Decide whether the question asks for design as of a date or operating effectiveness over a period.
Select Type 1 or Type 2.
Consider complementary user entity controls.
Avoid assuming a SOC report removes all user-auditor responsibility.
Review Questions
### Which report focuses on controls relevant to user entities' financial statement audits?
- [x] SOC 1.
- [ ] SOC 2.
- [ ] SOC 3.
- [ ] Compilation report.
> **Explanation:** SOC 1 reports address controls at a service organization relevant to user entities' internal control over financial reporting.
### Which report is most relevant for a cloud provider's security and availability commitments?
- [ ] SOC 1 only.
- [x] SOC 2.
- [ ] Compilation report.
- [ ] Review report under SSARS.
> **Explanation:** SOC 2 reports address Trust Services Criteria such as security and availability.
### What is SOC 3?
- [ ] A restricted-use financial reporting controls report.
- [ ] A detailed user-auditor report with control test results.
- [x] A general-use report related to SOC 2 subject matter.
- [ ] A preparation engagement under AR-C 70.
> **Explanation:** SOC 3 is designed for broad distribution and contains less detail than SOC 2.
### What does a Type 1 SOC report cover?
- [ ] Operating effectiveness over a period only.
- [x] Suitability of control design as of a specified date.
- [ ] A financial statement audit opinion.
- [ ] All complementary user entity controls.
> **Explanation:** Type 1 reports focus on design at a point in time.
### What does a Type 2 SOC report add beyond Type 1?
- [ ] General-use distribution.
- [ ] A tax opinion.
- [x] Operating effectiveness over a specified period.
- [ ] Elimination of user-auditor procedures.
> **Explanation:** Type 2 reports include tests of operating effectiveness throughout a period.
### A payroll processor affects payroll expense and payroll liabilities in user financial statements. Which report is most relevant to the user auditor?
- [x] SOC 1 Type 2, if operating effectiveness evidence is needed.
- [ ] SOC 3 only.
- [ ] A general marketing security report.
- [ ] Preparation engagement report.
> **Explanation:** Payroll processing affects financial reporting, so SOC 1 is the relevant SOC category for the user auditor.
### Which controls must the user auditor still consider when using a SOC report?
- [ ] Controls at unrelated competitors.
- [ ] The service auditor's personal tax controls.
- [x] Complementary user entity controls.
- [ ] Controls over the CPA firm's billing system.
> **Explanation:** SOC reports often assume certain controls operate at the user entity.
### Which Trust Services area addresses whether systems are protected against unauthorized access?
- [x] Security.
- [ ] Revenue recognition.
- [ ] Going concern.
- [ ] Equity classification.
> **Explanation:** Security is the Trust Services area focused on protection against unauthorized access and related risks.
### Why is Type 2 usually more useful than Type 1 for a user auditor seeking reliance over the audit period?
- [ ] Type 2 is always general use.
- [x] Type 2 tests operating effectiveness over a period.
- [ ] Type 2 omits all control descriptions.
- [ ] Type 2 is limited to privacy only.
> **Explanation:** Operating effectiveness over time is usually more relevant to user-auditor reliance than design as of one date.
### Which statement about SOC reports is correct?
- [ ] A SOC report eliminates all audit procedures at the user entity.
- [ ] SOC 2 is always the right report whenever computers are involved.
- [x] The report type depends on whether users need financial reporting control assurance, trust services control assurance, or a general-use summary.
- [ ] SOC 3 contains more detailed control testing than SOC 2.
> **Explanation:** SOC 1, SOC 2, and SOC 3 serve different user needs and distribution models.