The term “SOC” refers to Service Organization Control. A SOC audit is conducted by a third party accounting or consulting firm to assure the customers and stakeholders of a service-based company that the service provider has appropriate, effective controls governing the management and delivery of the services.
SOC audits are reports governed by the AICPA (American Institute of Certified Public Accountants), under auditing guidelines known as the Statement on Standards for Attestation Engagements (SSAE) 16. In the context of vendors providing services to a company’s Corporate Social Responsibility (CSR) programs, three kinds of SOC audits are available:
- SOC 1 focuses on the service provider’s financial controls (think funds disbursement for a CSR vendor).
- SOC 2 addresses controls related to operations and compliance, especially security, privacy and data integrity (think software engineering and database integrity for a CSR vendor using SaaS software).
- SOC 3 is a SOC 2 prepared for public distribution and carries additional assurances of operational excellence.
Use of SOC 1 and SOC 2 reports is generally restricted to the service provider and its clients, under NDA. SOC 3 is a document designed for public consumption.
For each kind of audit, there are both Type I and Type II:
- Type I refers to an assessment of the design of the controls at a point in time.
- Type II refers to an assessment of the design of the controls and testing those controls over a period of time (e.g. testing controls over six months).