Service organization control (SOC) reports have more than replaced the SAS 70; they’ve also increased the reporting functionality. Whether you are a user entity or service organization, it’s important to learn more about SOC reports. For example, what questions should a user entity consider when deciding whether an SOC report is needed? What are the differences between the three types: SOC-1, SOC-2, and SOC-3? How does an organization determine which SOC report is needed? And, since there are many common misconceptions regarding SOC reports, so what’s fact and what’s fiction?