Vendor SOC 1, 2 or 3 – Understanding the Differences

A Vendor's SOC 1

Overall, a SOC 1 is used to address internal controls that relate to a vendor’s financial reporting. It essentially looks at the quality of the vendor’s bookkeeping by disclosing its financial and accounting controls.

Furthermore, the SOC 1 is broken down into two different types – a SOC 1 Type I and SOC 1 Type II. A Type I report evaluates controls within a single point in time (a single date) and often doesn’t test controls. A Type II report is considered the ideal option because it tests control effectiveness over a period of time, thereby giving you better insight into patterns or recurring issues.

A Vendor's SOC 2

In most cases, you’ll want to request the SOC 2 report. This is especially true when you’re dealing with an IT related vendor. Many people mistakenly believe that a SOC 2 report is simply the “next level” compared to a SOC 1, but the two reports are completely distinct and should be treated separately. It’s an apple to oranges comparison.

A SOC 2 report examines a service organization’s controls over one or more of the following five standards known as Trust Services Criteria (TSC):

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

One of the benefits of a SOC 2 report is its consistency. This is the only audit that defines a consistent set of criteria that’s specific to the products of services that a vendor provides to you. When you want to measure the security, availability, confidentiality, processing integrity and/or privacy of a vendor product or service, there’s no better way to do this than by requesting a copy of their independently audited SOC 2 report.

Like the SOC 1, the SOC 2 report also comes in two types. A Type I report ensures that controls and in place and a Type II confirms that they’re effective. So, as you can probably guess, a SOC 2 Type II report is the best representation of how well a vendor is managing and safeguarding your data.

Remember when you review your Vendor’s SOC report, the controls are created by the vendor and tested by an auditor or CPA firm.

A Vendor's SOC 3

Now that you understand why a SOC 2 Type II is highly valuable, don’t be fooled into believing that the SOC 3 is even better, because it’s not!

From our perspective, a SOC 2 Type II is much preferable to a SOC 3. While a SOC 3 might have some of the components of a SOC 2, it won’t be as comprehensive as it is simply a summary report.

Let’s explain. A SOC 3 is designed to be made publicly available, without the requirement of a nondisclosure agreement (NDA). For this reason, it’s less detailed, less technical and won’t contain the same level of critical information that can be found in a SOC 2 Type II. In other words, a SOC 3 report is basically a high-level summary that’s been approved by the vendor, which can be posted on their website.

You may choose to use a SOC 3 during the initial due diligence stage, but a SOC 2 Type II is ideal for your more serious prospects.