SOC 1 and SOC 2 Reports for Financial Services
SOC 1 and SOC 2 reports are formal attestation documents issued by independent certified public accountants under standards established by the American Institute of Certified Public Accountants (AICPA). For financial services organizations — including banks, payment processors, investment advisers, and fund administrators — these reports serve as primary instruments for demonstrating that internal controls over financial reporting or data security operate as designed. Understanding the structural differences, regulatory contexts, and limitations of each report type is essential for organizations that rely on third-party service providers and for the service organizations that serve them.
- Definition and Scope
- Core Mechanics or Structure
- Causal Relationships or Drivers
- Classification Boundaries
- Tradeoffs and Tensions
- Common Misconceptions
- Checklist or Steps
- Reference Table or Matrix
Definition and Scope
SOC reports belong to the System and Organization Controls framework administered by the AICPA under its Statement on Standards for Attestation Engagements No. 18 (SSAE 18), which replaced the earlier SSAE 16 standard. SSAE 18 governs how service auditors evaluate and report on controls at service organizations — entities that operate systems or processes that affect the financial statements or operational security of user organizations (their clients).
SOC 1 reports address internal controls over financial reporting (ICFR). They are relevant when a service organization's processing could affect the financial statements of its user organizations. Examples in financial services include fund administrators that calculate net asset values, payroll processors that generate data flowing into general ledgers, and transfer agents that maintain shareholder records.
SOC 2 reports address security, availability, processing integrity, confidentiality, and privacy — the five Trust Services Criteria (TSC) established by the AICPA. A SOC 2 engagement must cover security (the common criteria); coverage of the remaining four criteria is selective based on the service organization's commitments.
Both report types are distinct from regulatory examination findings. The SEC, FDIC, OCC, and FINRA do not issue SOC reports; those agencies conduct their own examinations under statutory authority. SOC reports are private-sector attestations, and their evidentiary weight in regulatory contexts depends on how the relevant regulator treats third-party attestations. For a broader view of how different audit types interact in financial services, see Financial Audit Types Explained.
Core Mechanics or Structure
Both SOC 1 and SOC 2 engagements produce two sub-types of reports:
Type I describes the design of controls at a specific point in time. The service auditor evaluates whether the described controls are suitably designed to achieve the stated control objectives (SOC 1) or Trust Services Criteria (SOC 2) as of the report date.
Type II covers a minimum period of six months (AICPA guidance recommends 6–12 months) and evaluates both design and operating effectiveness. Type II reports are more operationally useful to financial services clients and their auditors because they provide evidence of sustained control performance across a defined period.
A SOC 1 or SOC 2 report contains five standard components:
- Management's description of the service organization's system — scope, boundaries, and subservice organizations
- Management's assertion that the description is accurate and that controls are suitably designed (Type I) or effective (Type II)
- The service auditor's opinion — issued under AT-C Section 320 (SOC 1) or AT-C Section 205 (SOC 2) of SSAE 18
- A description of the tests of controls and the results (Type II only)
- Other information provided by management, which is not covered by the auditor's opinion
The Trust Services Criteria for SOC 2 are published in the AICPA's document Trust Services Criteria (TSC 2017), last updated with revisions addressing cybersecurity. The common criteria (CC1 through CC9) map substantially to the COSO 2013 Internal Control — Integrated Framework, the same framework used in Sarbanes-Oxley Section 404 audit requirements. This alignment means SOC 2 common criteria address control environment, risk assessment, control activities, information and communication, and monitoring.
Causal Relationships or Drivers
Three regulatory and market forces drive demand for SOC reports in financial services:
Regulatory vendor oversight requirements. The OCC's guidelines on third-party risk management (OCC Bulletin 2013-29) and the FDIC's Statement on Technology-Related Risk Management direct supervised institutions to obtain evidence of control effectiveness at service providers. SOC reports are the most widely accepted standardized format for satisfying this expectation. See Third-Party Vendor Audit in Financial Services for the broader vendor oversight framework.
Public company financial statement audits. Under auditing standards issued by the PCAOB (AS 2601, Consideration of the Internal Control of a Service Organization) and the AICPA's AU-C Section 402, a user organization's external auditor must understand and evaluate controls at service organizations that process transactions relevant to the user's financial statements. A SOC 1 Type II report from the service organization provides the auditor with the primary documented basis for that evaluation, reducing the need for direct testing at the service organization's facilities.
Institutional client due diligence. Hedge funds, private equity funds, and mutual funds subject to SEC registration face investor and regulatory scrutiny of their fund administrators and custodians. A clean SOC 1 Type II from a fund administrator signals that NAV calculations and investor recordkeeping controls have been independently evaluated — a factor that institutional limited partners and SEC examination staff routinely request.
These three drivers compound: a single payment processor serving 400 user organizations faces simultaneous demand from all 400 external audit teams, making a single SOC 1 report far more efficient than 400 individual direct audits.
Classification Boundaries
SOC 1 and SOC 2 are not interchangeable and are not hierarchical. The selection depends on what the user organization needs to demonstrate:
| Scenario | Appropriate Report |
|---|---|
| Service provider processes data that flows into client financial statements | SOC 1 |
| Service provider hosts client data but does not affect financial reporting | SOC 2 |
| Service provider does both (e.g., a cloud ERP platform) | Both SOC 1 and SOC 2 |
| User organization's auditor needs ICFR evidence | SOC 1 Type II |
| Client security team needs operational risk evidence | SOC 2 Type II |
A SOC 3 report is a publicly distributable summary of a SOC 2 engagement — it contains the service auditor's opinion but omits the detailed test descriptions and results. SOC 3 reports are unsuitable for external financial audit reliance because they lack the granular test information required by AU-C Section 402 and PCAOB AS 2601.
Subservice organizations introduce an important boundary issue. When a service organization relies on another provider (e.g., a cloud infrastructure provider), it may address that dependency through either inclusive method (the subservice organization's controls are included in the scope) or carve-out method (the subservice organization's controls are explicitly excluded). User organizations and their auditors must identify carve-outs and obtain separate evidence for excluded controls. This is a frequent source of gaps in compliance programs and relates directly to IT Audit in the Financial Services Sector.
Tradeoffs and Tensions
Scope creep versus meaningful coverage. Service organizations face commercial pressure to expand the system description and control list to satisfy the widest possible client base. Overly broad descriptions can produce reports that are technically accurate but operationally misleading, as the auditor's opinion covers a system boundary that few individual clients actually use.
Complementary user entity controls (CUECs). SOC reports explicitly identify controls that user organizations must implement for the overall control structure to function. If a user organization fails to implement CUECs, the SOC report's clean opinion does not protect that user. External auditors at user organizations must test CUECs independently; a SOC report does not eliminate this obligation under AU-C Section 402.
Lag time and coverage period. A SOC 2 Type II with a December 31 report date typically reflects controls tested through September or October of the same year. A client reviewing the report in March of the following year is relying on evidence that may be 5–6 months old. Material changes to a service organization's infrastructure during that gap are not captured.
Exceptions and qualifications. A service auditor who identifies a control deficiency during testing may issue a qualified opinion or note exceptions. Exceptions do not automatically indicate a reportable control failure for user organizations, but they require user auditors to assess whether compensating controls or alternative procedures are needed. This creates a downstream audit burden that is often underestimated.
Common Misconceptions
Misconception: A SOC 2 report certifies security compliance. SOC 2 is an attestation against the AICPA's Trust Services Criteria, not a regulatory certification. It does not confirm compliance with HIPAA, GLBA, PCI DSS, or any federal cybersecurity standard. Regulators do not treat a clean SOC 2 as proof of regulatory compliance under any statutory framework.
Misconception: SOC 1 and SOC 2 are issued by the same body that issues regulatory examination findings. SOC reports are CPA-firm attestations governed by AICPA standards. No federal banking regulator (OCC, FDIC, Federal Reserve) or securities regulator (SEC, FINRA) issues or endorses SOC reports. Agencies may reference them in guidance as acceptable evidence, but they retain independent examination authority.
Misconception: A Type I report is sufficient for external financial audit reliance. Type I reports cover design only. Under PCAOB AS 2601 and AU-C Section 402, reliance on a service organization's controls for financial statement audit purposes requires evidence of operating effectiveness — which only a Type II report (or direct testing by the user auditor) provides.
Misconception: Subservice organization carve-outs are a minor formatting choice. When a carve-out is used, the service auditor's opinion explicitly does not cover the carved-out entity's controls. A cloud platform hosting 100% of a service organization's processing infrastructure may be carved out entirely, meaning the user organization has no auditor-attested evidence for the most operationally critical component of the system.
Misconception: SOC reports are publicly available. SOC 1 and SOC 2 reports are restricted-use documents. They are distributed only to user organizations that have a business relationship with the service organization and to regulators with appropriate authority. SOC 3 reports are the only SOC variant designed for general distribution.
Checklist or Steps
The following sequence describes the standard phases of a SOC engagement — not advisory guidance. These phases reflect AICPA professional standards for SOC examinations.
Pre-Engagement Phase
- Define scope: identify which system(s), infrastructure components, and processes will be included
- Select report type (SOC 1 vs. SOC 2) and sub-type (Type I vs. Type II)
- Identify applicable criteria: ICFR objectives (SOC 1) or Trust Services Criteria (SOC 2)
- Determine coverage period (minimum 6 months for Type II)
- Identify subservice organizations and select inclusive or carve-out method
Readiness Assessment Phase
- Map existing controls to control objectives or Trust Services Criteria
- Identify control gaps against applicable criteria
- Document control activities, evidence repositories, and responsible parties
- Assess complementary user entity control dependencies
Examination Phase
- Service auditor issues engagement letter under SSAE 18
- Management prepares and finalizes the system description
- Service auditor conducts risk assessment and designs test procedures
- Testing performed: inquiry, observation, inspection of documentation, re-performance
- Exceptions identified and communicated to management for response
Report Issuance Phase
- Management finalizes assertion
- Service auditor issues opinion (unqualified, qualified, or adverse)
- Report assembled: description, assertion, opinion, test results (Type II), and other information
- Distribution restricted to specified user organizations and their auditors
Post-Issuance Phase
- User organizations' auditors review SOC report and evaluate exceptions
- User auditors test CUECs at user organization level
- Gaps from subservice carve-outs addressed through supplemental procedures
- Bridge letters obtained for periods after SOC report date if needed
For context on how these attestations interact with regulatory examinations at supervised institutions, see Regulatory Examination Preparation for Financial Firms.
Reference Table or Matrix
SOC Report Type Comparison Matrix
| Attribute | SOC 1 Type I | SOC 1 Type II | SOC 2 Type I | SOC 2 Type II | SOC 3 |
|---|---|---|---|---|---|
| Governing standard | SSAE 18, AT-C §320 | SSAE 18, AT-C §320 | SSAE 18, AT-C §205 | SSAE 18, AT-C §205 | SSAE 18, AT-C §205 |
| Criteria framework | ICFR objectives | ICFR objectives | Trust Services Criteria | Trust Services Criteria | Trust Services Criteria |
| Coverage | Point in time | ≥6 months | Point in time | ≥6 months | ≥6 months (summarized) |
| Tests of controls included | No | Yes | No | Yes | No |
| Suitable for financial statement audit reliance | No | Yes | No | No | No |
| Distribution | Restricted | Restricted | Restricted | Restricted | Public |
| Addresses ICFR | Yes | Yes | No | No | No |
| Addresses security/availability/etc. | No | No | Yes | Yes | Yes |
Common Financial Services Use Cases by Report Type
| Organization Type | Typical Report Needed | Regulatory Driver |
|---|---|---|
| Fund administrator (NAV calculation) | SOC 1 Type II | PCAOB AS 2601; AU-C §402 |
| Cloud SaaS provider (non-ICFR data) | SOC 2 Type II | OCC Bulletin 2013-29; FDIC vendor guidance |
| Transfer agent | SOC 1 Type II | SEC Rule 17Ad-13; AU-C §402 |
| Payment processor | SOC 1 Type II + SOC 2 Type II | Multiple — ICFR and security both relevant |
| Core banking platform provider | SOC 1 Type II | FDIC FIL-44-2008; OCC Bulletin 2013-29 |
| Investment adviser (subadvisor) | SOC 1 Type II | SEC investment adviser examination practice |
For the role of external auditors in evaluating these attestations, see Auditor Independence in Financial Services.
References
- AICPA — SSAE 18: Attestation Standards: Clarification and Recodification
- AICPA — Trust Services Criteria (2017)
- AICPA — SOC for Service Organizations: Information for User Entities
- PCAOB AS 2601 — Consideration of the Internal Control of a Service Organization
- AICPA AU-C Section 402 — Audit Considerations Relating to an Entity Using a Service Organization
- OCC Bulletin 2013-29 — Third-Party Relationships: Risk Management Guidance
- FDIC — Technology-Related Risk Management: A Guide for Bank Executives (FIL-68-99)
- COSO — Internal Control — Integrated Framework (2013)
- [SEC Rule 17Ad-13 — Transfer Agents Annual Study and Evaluation of Internal Accounting Controls](https://www.ecfr.gov/current/title-