Information Technology Compliance: Service Organization Control (SOC) Reporting

SOC reports offer a confirmation of services provided by a service organization including information that users need to assess and address the risks associated with an outsourced service. They are designed to help Information Technology service organizations build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant.


What are SOC 1, SOC 2 and SOC 3 Reports?

Expedient Data Centers publishes multiple SOC reports annually:

  • SOC 1 Report (Type II)
    Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SSAE-18)  – This report is used by customers undergoing financial statement audits and those who require compliance with the Sarbanes-Oxley Act or similar regulation. It reports on the effectiveness of controls in achieving stated objectives throughout a specified period and was formerly known as SAS 70. Receipt of this report requires execution of a mutual non-disclosure agreement and is available from an account manager.
  • SOC 2 + HITRUST CSF Report (Type II)
    Report on Controls at a Service Organization Relevant to Security, Availability and Confidentiality – This report is used by customers who require confidence in the critical business processes and procedures to complement compliance with various industry or government regulations with relevant requirements. The Health Information Trust (HITRUST) Alliance collaborates with healthcare industry, technology and security leaders to establish the Common Security Framework (CSF) for use in assessing organizations that create, access, store or exchange sensitive and/or regulated patient health information (PHI). The American Institute for Certified Public Accountants (AICPA) has partnered with the HITRUST Alliance to develop a single illustrative SOC 2 + HITRUST CSF report that incorporates all relevant criteria into a single control attestation. This framework supports the Health Insurance Portability and Accountability Act (HIPAA). Receipt of this report requires execution of a mutual non-disclosure agreement; the NDA and report are available from an Expedient account manager.
  • SOC 3 Report
    Trust Service Report for Organizations – This report is used by prospective and current customers as a general overview of controls related to certain processes and procedures. Receipt of this report requires acceptance of our terms and conditions and is available for download.

Expedient SOC reports use the National Institute of Standards and Technology (NIST) Special Publications control framework, including NIST SP 800-53. More information about SOC reporting is available from the American Institute of Certified Public Accountants (AICPA).


Request a Quote

  • This field is for validation purposes and should be left unchanged.
AICPA SOC CRN Managed Service Provider 500 logo Top Work places logo CRN Solution Provider 500 logo MSP Mentor 501 logo