The Evolution of SOC Reporting: Key Findings from the 2024 SOC Benchmark Study (Part Two)

System and Organization Controls (SOC) reporting is more than just a compliance measure — it’s a strategic tool to build stakeholder trust and credibility. By engaging a reputable third-party auditor, organizations can uncover hidden vulnerabilities, strengthen security practices and demonstrate their commitment to protecting sensitive data. This transparency and accountability facilitate regulatory compliance and instill confidence among clients, partners and the broader market.

The 2024 SOC Benchmark Study, conducted by CBIZ and CBIZ CPAs P.C., builds on these principles by highlighting emerging trends, key challenges and opportunities for improving SOC compliance. This year’s review of 193 SOC reports — up from 154 last year — offers deeper insights into the evolving SOC landscape across various industries.

In our previous article, we focused on the report’s key highlights. Now, in this second installment, we’ll take a closer look at the first half of our results, exploring what they reveal about current SOC practices and how organizations can use these insights to bolster their own compliance efforts.

Deep Dive into Key SOC Findings: 2024 Benchmark Study

This section examines the number of objectives in SOC 1 reports, the number of categories in SOC 2 reports, the number of controls in both SOC 1 and SOC 2 reports, as well as trends related to subservice providers and internal audits. These insights provide valuable guidance for organizations striving to enhance their SOC compliance and optimize risk management strategies.

Number of Objectives (SOC 1)

SOC 1 reports vary widely in the number of objectives they contain, ranging from as few as three to as many as 65. This year’s findings show more than half (52.5%) of SOC 1 reports included between one and nine control objectives, a proportion nearly identical to 2023 findings (53%). A notable shift, however, is the slight increase in reports with more than 20 objectives, which raised the overall average from 10 to nearly 12.

Key Takeaways:

• Organizations should work closely with their auditors to ensure that the objectives defined in their SOC 1 reports are comprehensive and relevant.
• Reports with fewer than four objectives should be carefully reviewed, as they may not fully cover essential financial and IT general controls (ITGC). A “minimum” ITGC framework includes logical access, change management and operations (back-up and automated job scheduling). If a full SOC 1 has only four objectives, and three of the four are ITGC, then is one business process objective really sufficient to cover all financial risk?
• High objective counts should prompt a review to consolidate objectives where feasible, improving clarity and efficiency.

Number of Categories (SOC 2)

The 2024 study analyzed 73 SOC 2 reports, nearly doubling from last year’s 38, providing a broader data set for comparison. One key trend is the increased inclusion of confidentiality as an in-scope category, which grew from 34% in 2023 to 64.4% in 2024. This shift reflects a heightened emphasis on protecting sensitive data. Security remains the most prevalent category, appearing in 100% of reports, despite an AICPA FAQ in November 2020 that specified it was not required.

Key Takeaways:

• Availability was the second most common category, appearing in 75.3% of SOC 2 reports, showing a slight increase from 71% last year.
• The increased adoption of SOC 2+ reports (9.6% of SOC 2 reports, including multiple security frameworks) highlights a growing trend toward integrating compliance across different regulatory standards.
• Organizations considering SOC 2+ should discuss it with their service auditor, as not all security frameworks are keen to have their framework opined upon in conjunction with SOC 2.

Number of Controls (SOC 1 and SOC 2)

For SOC 1, the number of controls remained stable, averaging 69.95 this year compared to 68 last year. Despite minor fluctuations, this consistency reflects a stable control environment among service providers. However, an increase in reports with more than 200 controls suggests expanded audit scopes for larger institutions.

For SOC 2, the study found an increase in reports containing more than 150 security controls, rising from 16% in 2023 to 23% this year. While some of this growth may be due to auditors expanding their testing scope, organizations must control rationalization and avoid unnecessary redundancies.

Key Takeaways:

• SOC 1 reports typically feature between 18 and 50 controls, with this range remaining nearly unchanged from last year.
• The rise in SOC 2 reports with over 150 security controls suggests a more rigorous approach to compliance but may also indicate inefficiencies due to redundant controls.
• Organizations should work with auditors to streamline control mappings to avoid excessive documentation burdens.

Subservice Providers

This year’s study found that reliance on subservice providers continues to be a significant trend, with 89.6% of reports including them, up from 82% last year. The most common model remains the carve-out approach (96%), where subservice providers are excluded from the audit scope.

Key Takeaways:

• We were pleased to see a slight increase in reports, including subservice providers, rising from 82% last year to 89.6% this year. This reflects the reality that most service environments depend on multiple providers. A Gartner study from October 2022 showed that 78% of companies use 16 or more tools to manage their environments, with some managing over 46 tools, often involving more than 10 vendor relationships.
• Report users should inquire about reports that fail to mention subservice providers, as these may not fully capture third-party risk dependencies. As the saying goes, you cannot outsource risk, and you inherit the risk of those you work with, so it would be in your organization’s best interest to understand whose risk you are inheriting. Inheriting the cloud hosting risk for Amazon may be a less risky venture than inheriting the risk of an unknown cloud hosting provider.

Internal Audit Trends

Internal audit (IA) utilization declined in 2024, with only 5.2% of SOC reports relying on IA to reduce testing—down from 8% last year. This decrease may be attributed to AICPA guidance updates, which no longer require a service auditor to disclose reliance upon internal audit. The rationale is that the service auditor is absorbing the risk of utilization of internal audit and, therefore, ultimately bears the burden of responsibility of quality of work. As logical as this change in guidance may be, it appears that going forward, it will likely be rare to see instances where internal audit was leveraged.

Key Takeaway:

• Organizations should advocate for the continued use of internal audits in their SOC processes, as it can help reduce audit scope and lower costs.

Next Steps

If you need assistance conducting a SOC 1 or SOC 2 report or have questions regarding the process, connect with one of our professionals.

Also, stay tuned as we continue to break down the data and provide actionable insights for SOC compliance optimization. In the next article in this three-part series, we will explore the most common areas for control exceptions and qualifications and provide some best practices to alleviate these.