SOC 1, SOC 2, and SOC 3 Reports

What is a SOC Report?

A SOC report stands for System & Organizational Controls. These reports are internal control reports that outline the services that are being provided by a service organization and the controls related to the service that is being offered. This provides valuable information to potential customers and allows the service organization to build trust and confidence around their service offerings.

What are the types of reports?

With the change from SAS 70 to SSAE 16 and now to SSAE 18, there are now several types of reports that can be issued. SOC 1 Reports fall under the guidance of SSAE 18, while SOC 2 Reports fall under the guidance of AT Section 101. Below is a brief summary of each of these SOC reports:

SOC Flow

SSAE 18 SOC 1 Report

A SOC 1 report examines internal controls at a service organization that impact a user entity’s (your customers) controls over financial reporting. This report is only to be issued when an auditor of your customer needs to gain comfort with your controls to be able to issue audited financial statements. This report can only be used by the auditors of user entities and user entities’ management. 

Within SOC 1 reporting, there are Type 1 and Type 2 reports. The Type 1 report identifies the controls at a service organization but does not perform any testing to determine if the controls are operating effectively. Type 2 reports identify the controls and report on the operating effectiveness of these controls based on the testing performed. 

AT101 SOC 2 Report

An AT 101 SOC 2 report provides detail on the controls at a service organization relevant to the trust service principles. The five trust principles are:

SSAE 16 Tiered


The AT 101 SOC 2 report can cover any or all of these principles. A SOC 2 report is typically provided to customers to give them comfort over the controls surrounding the trust service principles. Similar to SOC 1 reporting, both Type 1 and Type 2 reports are available within SOC 2 reporting.

SOC 3 Report

A SOC 3 report is the same procedures as a SOC 2 Type 2 report without the details on the controls. This report is typically used for marketing purposes and there are no restrictions on whom this report can be provided.


For more details on how Compass can help your organization with your SOC Reports, view our
SOC 2 Readiness Approach