System and Organization Controls: Which compliance standard is the most suitable

System and Organization Controls (SOC) in versions SOC 1®, SOC 2® and SOC 3® are auditing and reporting standards of the AICPA (American Institute of Certified Public Accountants). These standards enable service providers such as data center operators or cloud providers to ensure and prove to their customers that they have the effective controls and measures necessary to provide the required services securely. The Ecovis consultants know the details.

SOC 1®: Internal Control over Financial Reporting (ICFR)

This standard is specifically designed to examine the controls in place at service providers that are relevant to the service provider’s financial reporting. There are two types of report:

  • Type 1 – a report on the suitability of the design and adequacy of controls to achieve the relevant control objectives at a given time.
  • Type 2 – a report on the effectiveness of controls in achieving the relevant control objectives during a specified period of time (typically 6 months or 1 year).

SOC 2®: Trust Services Criteria

The controls to be examined (& reviewed) in SOC 2 and SOC 3 reports are measured (& assessed) against the so-called trust services criteria for security, availability, processing integrity, confidentiality and privacy. SOC 2 reports can also be Type 1 (adequacy of controls) or Type 2 (effectiveness of controls over a period of time).

SOC 3®: Trust Services Criteria for General Use Report

As with a SOC 2 report, a SOC 3 report addresses controls related to security, availability, integrity, and privacy/trust. SOC 3 reports are subject to the same audit criteria as SOC 2 reports. However, there are some differences between SOC 2 and SOC 3. For example, SOC 2 reports are confidential and are only provided to certain clients, whereas SOC 3 reports are intended for public consumption and are usually posted on the company’s website as a marketing tool.


Whenever accounting-related or financially critical data and processes are outsourced, companies should ask their future service providers for a SOC 1 report. If a company wants to outsource the processing of its sensitive customer data to an external service provider (cloud/computing center), the IT service provider in question should obtain a SOC 2 report. As a rule, the service provider’s clients do not ask for a SOC 3 report. The service providers themselves make the SOC 3 report available to the public and thus transport certified security.