SOC 1 vs SOC 2 vs SOC 3

Side-by-side comparison

When the distinction matters on an engagement

The distinction matters when a European audit client uses a US-based service provider and the service provider offers a SOC report. The question is always the same: does this report give me evidence I can use in a financial statement audit?

ISA 402.12 allows the user auditor to use a service auditor's report as audit evidence, but the report must address controls relevant to the user entity's financial reporting. A SOC 1 report does this. A SOC 2 does not, because the Trust Services Criteria address IT operational controls, not financial reporting assertions. A SOC 3 is even further removed because it omits detailed test results entirely.

The error is accepting a SOC 2 from a service provider and documenting it in the file as evidence of control effectiveness over financial reporting. It is not.

Worked example: Johansson Analytics AB

Client: Swedish data analytics company, FY2024, revenue €22M, IFRS reporter. Johansson uses three US-based service providers.

Provider 1: CloudPay Inc. (payroll processing, €3.1M payroll expense)

CloudPay provides a SOC 1 Type II report covering 1 January to 31 December 2024. The report addresses controls over payroll input validation and disbursement relevant to user entities' financial reporting.

Documentation note: "SOC 1 Type II report obtained from CloudPay Inc. Report covers controls relevant to financial reporting over the full audit period. Per ISA 402.12, report is acceptable as audit evidence for the completeness and accuracy of payroll expense. Assessed service auditor competence per ISA 402.13. No exceptions reported."

Provider 2: DataVault LLC (cloud hosting, €480K annual spend)

DataVault provides a SOC 2 Type II report covering the same period. The report addresses security and availability under the Trust Services Criteria.

Documentation note: "SOC 2 Type II report obtained from DataVault LLC. Report addresses Trust Services Criteria, not controls over financial reporting. Cannot be used as ISA 402 evidence for financial statement assertions. SOC 2 is noted for IT risk assessment context only. If reliance on DataVault's controls is needed for financial reporting purposes, a SOC 1 report must be requested or the user auditor must perform direct testing."

Provider 3: QuickSign Corp (digital signature platform, immaterial spend)

QuickSign publishes a SOC 3 report on its website.

Documentation note: "SOC 3 general-use report noted. No detailed test results available. Spend immaterial at €18K annual. No further procedures required."

If the team had used the SOC 2 report from DataVault as evidence supporting IT general controls over financial reporting, the file would misrepresent the scope of the evidence obtained.

What reviewers get wrong

The most frequent mistake is treating a SOC 2 report as interchangeable with a SOC 1 report. SOC 2 addresses Trust Services Criteria, not financial reporting controls. User auditors who document SOC 2 reports as ISA 402 evidence have relied on a report that does not address the relevant assertions.

When a US-based provider offers only a SOC 1 report (not an ISAE 3402 report), the user auditor must consider whether the AT-C 320 engagement was conducted at a standard equivalent to ISAE 3402. ISA 402.A20 addresses this. In practice, AT-C 320 and ISAE 3402 are closely aligned, but the user auditor should document the equivalence assessment rather than assuming it.

Key standard references

• AT-C 320: Governs SOC 1 reports. International equivalent is ISAE 3402.
• AT-C 205: Governs SOC 2 and SOC 3 reports. No direct international equivalent.
• ISA 402.12: Permits the user auditor to use a service auditor's report as audit evidence.
• ISA 402.A20: Addresses equivalence assessment when the report is prepared under a non-ISA framework.

Related terms

Related reading

Frequently asked questions