The System and Organization Controls (SOC) framework, developed by the American Institute of Certified Public Accountants (AICPA), is a standard for controls that protect information stored in the cloud. Certified Public Accountants (CPAs) audit cloud service providers (CSPs), resulting in internal control reports on the services provided by a service organization. SOC reports can help users assess and address the risks associated with an outsourced service.
SOC 1 is an audit of the internal controls at a service organization that were implemented to protect client-owned data involved in client financial reporting. SOC 1 audits and reports are based on the Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).
SOC 2 audits, based on the AICPA Trust Service Principles and Criteria, gauge the internal controls at a service organization that were implemented to protect customer-owned data. SOC 2 reports provide details about the nature of those internal controls.
A SOC 3 report is a condensed, publicly available version of the SOC 2 Type 2 audit report of controls put in place by service organizations. SOC 3 reports are intended for users that don’t need the full details of an SOC 2 report.