SOC Engagement Categories & Types Simulation
An interactive guide to understanding SOC reports.
Step 1: Understanding SOC Basics
Organizations often outsource key business operations. This creates two main roles:
User Entity
The organization that utilizes outsourced services. For example, a company that hires another firm to handle its payroll.
Service Organization
The outside organization that provides the services, such as a cloud provider, a credit card processor, or a customer support center.
A System and Organizational Controls (SOC) report provides assurance to the User Entity that the Service Organization has effective controls in place for its services.
Report Types: Type 1 vs. Type 2
SOC reports come in two types, which determine the level of assurance provided:
- Type 1 Report: Reports on the design of controls at a single point in time. It answers the question: "Are your controls designed properly as of today?"
- Type 2 Report: Reports on both the design and operating effectiveness of controls over a period of time (usually 6-12 months). It answers the question: "Did your properly designed controls work as intended over the last year?"
Step 2: Choose the Right SOC Report
The type of SOC report needed depends on the user's specific concerns. Select a scenario below to see which report is the best fit.
Step 3: Exploring the Trust Services Criteria (for SOC 2 & SOC 3)
SOC 2 and SOC 3 reports are built on the five Trust Services Criteria. A report can cover one or more of these categories. Click on each criterion to learn more.
Security
Availability
Processing Integrity
Confidentiality
Privacy
Select a criterion above to see its description.
