The teams that analyze the security procedures should be aware of the output and reporting capabilities for the data. Any information that is of concern must be reported to the management teams immediately so that they are aware of possible risks or alerts. The level of detail given to the management teams might vary depending on their roles and involvement. The type of auditing being performed can also determine the type of reports that must be used. For example, for an SSAE 16 audit, a Service Organization Control (SOC) report is required. There are four types of SOC reports:
- SOC 1 Type 1. This report outlines the findings of an audit, as well as the completeness and accuracy of the
documented controls, systems and facilities.
- SOC 1 Type 2. This report includes the Type 1 report, along with information about the effectiveness of the
procedures and controls in place for the immediate future.
- SOC 2. This report includes the testing results of an audit.
- SOC 3. This report provides general audit results with a datacenter certification level