SOC 1 vs. SOC 2: What’s the Difference?

  • Email Archiving
  • Laws and Regulations
  • Security
  • SOC 1 vs. SOC 2: What’s the Difference?

    If your company provides services to other organizations, you’ve likely been asked to produce a SOC report at some point. At a high level, SOC reports are a way for service organizations to demonstrate that they’ve established strong internal controls for their information systems.

    Though that might seem fairly straightforward, there are two primary types of SOC reports, each of which pertains to a different set of internal controls. Without specific guidance, it can be unclear as to which type of SOC report a current or prospective client is looking for.

    SOC 1 and SOC 2 reports and explain what they are, how they differ, how to determine which one you need.

    In this article, we’ll look ad and more.

    What are SOC Reports?

    System and Organization Controls (SOC) reports — formerly known as Service Organization Control reports — are audit reports supplied by the American Institute of Certified Public Accountants (AICPA) that validate whether a third-party vendor has established effective internal controls on information systems. These controls can range from anywhere from restricting system access to authorized users to conducting penetration tests to identify potential vulnerabilities.

    KEY TERMS

    Third-party vendors are known as “service organizations” in SOC parlance; the companies they provide services to are known as “user entities.”

    Consequently, any CPA who conducts SOC 1 and SOC 2 audits on behalf of a service organization is known as a “service auditor,” and any CPA who conducts an audit on behalf of a user entity is known as a “user auditor.”

    Although SOC reports are not mandated, they can help support compliance initiatives and inspire confidence in a service organization’s security protocols and procedures amongst user entities.

    SOC 1 vs. SOC 2: What’s the Difference?

    As noted in our introduction, there are two primary types of SOC audit and report: SOC 1 and SOC 2.

    SOC 1
    The SOC 1 auditing procedure addresses a service organization’s internal controls over financial reporting (ICFR). Service organizations preparing to undergo a SOC 1 audit are responsible for determining their own key control objectives — that is, the risks that controls are meant to prevent — pertaining to the processing and secure storage of customer information. Performance and reporting requirements for SOC 1 audits, as well as application guidelines for any CPA performing a SOC 1 audit, can be found in AT-C Section 320 of Statements on Standards for 18 Attestation Engagements (SSAE 18).

    A SOC 1 audit can result in two different types of reports, appropriately named Type 1 and Type 2 reports. The AICPA defines these reports as follows:

    • SOC 1 Type 1: “Report[s] on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.”
    • SOC 1 Type 2: “Report[s] on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.”

    The use of SOC 1 Type 1 and Type 2 reports are restricted to the management of the service organization, user entities and user auditors.

    SOC 2
    A SOC 2 audit is similar to a SOC 1 audit, except it addresses a service organization’s internal controls over cloud and data center security. The SOC 2 framework is based on five Trust Services Criteria (TSC): security, availability, processing integrity, confidentiality and privacy.

    Service organizations are responsible for determining which of these TSC are relevant to the services they offer to their customers; CPAs can perform a SOC 2 audit based on just one of these TSC, all five, or some combination of the five. Additional performance and reporting requirements, as well as application guidance, can be found in AT-C Section 105 and AT-C Section 205 of SSAE 18.

    Get Details About SOC 2 Compliance, Certification & More >>

    Once a service organization has selected the appropriate TSC, the CPA will use this criteria to:

    “…evaluate and report on controls over information and systems (a) across an entire entity; (b) at a subsidiary, division, or operating unit level; (c) within a function relevant to the entity’s operational, reporting, or compliance objectives; or (d) for a particular type of information used by the entity.”

    Again, much like SOC 1, there are two types of SOC 2 reports. I.S. Partners, a CPA firm that specializes in performing SOC 2 audits, defines them as follows:

    • SOC 2 Type 1: “This type of audit examines the controls that service organizations use to address any or all five of the Trust Service Criteria. This audit type describes the service organizations’ systems and provides assurance that controls are effectively designed to meet relevant trust criteria at a specific point in time.”
    • SOC 2 Type 2: “This audit type includes additional attestation that a service organization’s controls undergo testing for operating effectiveness over a period of time. User organizations and their auditing team generally select six months for the period of time to evaluate.”

    The use of both SOC 2 Type 1 and SOC 2 Type 2 reports are restricted to the management of the service organization, current and user entities, user entities’ business partners and user auditors.

    There is, however, a third form of SOC audit report that can be freely distributed; known as SOC 3, it is a general report demonstrating SOC 2 compliance that can be made available to the public.

    SOC Reports at a Glance
    SOC 1

    • Addresses internal controls over financial reporting
    • Based on AT-C Section 320 of SSAE 18
    • Control objectives cover controls around processing and securing customer information for both business and IT purposes
    • Scope of audit includes all aspects of services tested
    • Two types of SOC 1 reports: SOC 1 Type 1 and SOC 1 Type 2
    • Use restricted to service organization management, user entities and user auditors
    SOC 2

    • Addresses internal controls over cloud and data center security
    • Based on AT-C Section 105 and AT-C Section 205 of SSAE 18
    • Control objectives cover five Trust Service Criteria (TSC): security, availability, processing integrity, confidentiality and privacy
    • Service organization selects which TSC to include in audit
    • Two types of SOC 2 reports: SOC 2 Type 1 and SOC 2 Type 2
    • Use restricted to service organization management, user entities, user entities’ business partners and user auditors
    • Service organizations can also request a SOC 3 report, which demonstrates SOC 2 compliance and can be freely distributed

    SOC 1 vs. SOC 2: Which One Do I Need?

    Whether your organization would benefit from obtaining a SOC 1 or SOC 2 audit report depends on a few different factors.

    SOC 1
    Your organization may want to consider SOC 1 Type 1 or Type 2 audit if:

    • The service it provides impacts or has the potential to impact customers’ financial reporting. For example, if your company offers outsourced payroll services or billing and collections services, it’s in your best interest to secure a SOC 1 report.
    • The customers you serve need to comply with the Sarbanes-Oxley Act (SOX). SOX includes specific provisions pertaining to internal accounting controls, so it’s imperative that any user entity subject to SOX be able to verify that its service organizations are SOC 1 compliant.

    You might also consider a SOC 1 audit if a customer requests it, if your organization has never been audited before or if you’ve recently updated your ICFR. In any case, a SOC 1 report can help your company create transparency, strengthen relationships with existing customers and stakeholders and offer a competitive advantage when acquiring new business.

    SOC 2
    By comparison, a SOC 2 Type 1 or SOC 2 Type 2 audit is a smart choice for any service organization that processes or hosts user entity data, such as a Software as a Service provider or a cloud service platform. A SOC 2 report is a great way to prove to current and prospective customers that your company takes data security seriously, and that you’ve implemented the necessary security measures to prevent potential security breaches.

    Depending on the type of services your company provides and the customers you serve, you might even consider SOC 1 and SOC 2 reports.

    SOC 1 vs. SOC 2: Audit Procedure

    SOC 1 and SOC 2 engagements follow slightly different processes, which we’ll explore below.

    SOC 1
    All SOC 1 engagements are broken into three general phases:

    • Planning: Management of a service organization works with the service auditor (a CPA or accountancy firm) to define the scope of the engagement, including the period covered by the SOC 1 report (Type 1 or Type 2); the control objectives; and management’s description of the service organization’s system.

    KEY TERMS 

    “Management’s description of the service organization’s system” is simply a written description of the service a company provides to its customers; it may also include information about the period to which that description applies, the specified control objectives, who was responsible for specifying control objectives and any related controls.

    An “assertion” — also known as “management’s assertion” or a “service organization’s assertion” — is a service organization’s declaration as to whether its internal controls meet the requisite criteria.

    • Evaluation: Management prepares and establishes a basis for its assertion and coordinates testing with the service auditor. The evaluation phase can take several months to complete.
    • Reporting: Management finalizes its assertion, reads the service auditor’s report, reviews any deficiencies identified during the audit and provides a letter of representations to the service auditor.

    For a more detailed explanation of this process — and the terminology involved — we recommend reading the AICPA’s Information for Management of a Service Organization in a SOC 1 Engagement.

    SOC 2
    During a SOC 2 examination, a service auditor will evaluate the effectiveness of controls within a service organization’s cybersecurity risk management program according to the AICPA’s five TSC. The process itself can include anything from employee interviews and systems testing to records requests and filling out paperwork.

    Generally speaking, service auditors are looking for the following controls and policies:

    • Access controls
    • Disaster recovery
    • Encryption
    • Intrusion detection
    • Network and application firewalls
    • Performance monitoring
    • Process monitoring
    • Quality assurance
    • Security incident handling
    • Two-factor authentication

    Once the audit is complete, the service auditor will generate a detailed attestation report based on their findings. The contents of this report are similar to those of a SOC 1 report and can include details on the scope and purpose of the audit, notes on the adherence to the selected TSC, management’s assertion, the service auditor’s final determination and so on.

    As a reminder, the results of a SOC 2 report can only be shared internally; service organizations that wish to share their results with the general public will need to undergo a SOC 3 examination.

    SOC 1 vs. SOC 2: How to Prepare

    It isn’t just the audits themselves that differ — the guidance for preparing for a SOC 1 vs. a SOC 2 examination also looks a bit different:

    SOC 1

    • Determine what it is you hope to learn from this audit. This will help you determine the overall scope of the audit.
    • Get to know your clients (and their controls). This will help you align your internal controls with your clients’ and understand which regulatory obligations you’re subject to.
    • Review all existing policies, procedures and training materials. You’ll need to share these with the service auditor, as they’ll serve as the baseline for your SOC 1 audit.
    • Reevaluate your vendor network. Do you work with any vendors whose controls might jeopardize your organization’s SOC 1 compliance?
    • Conduct a readiness assessment. This will help you identify gaps within your existing physical, security, availability, service delivery and quality assurance controls.
    SOC 2

    • Determine which trust principles you intend to have audited. You can also define the specific controls you wish to audit.
    • Conduct a readiness assessment. This will help you identify gaps within your existing security processes and controls.
    • Establish a baseline for normal activity within your cloud environment. This will help support security monitoring, user access and more.
    • Set up anomaly alerts. Your company’s security incident alerting procedure will be included in your SOC 2 audit.
    • Create detailed audit trails. Documenting security incidents can surface valuable insights into your security posture.

    How Can I Find the Right SOC Auditor?

    Whether you want to complete a SOC 1 or a SOC 2 audit, you’ll need a service auditor to conduct your examination. Here are a few questions to ask when evaluating different service auditors to ensure they’re qualified for the job:

    • Are you or your firm affiliated with the AICPA?
    • Do you have prior experience conducting SOC examinations?
    • Do you have prior experience auditing companies of our size?
    • Do you have prior experience auditing companies within our industry?
    • When were you last peer-reviewed?
    • Can you describe your standard quality review process?
    • How long does it typically take for you to complete an audit, from start to finish?
    • As part of your final report, will you provide recommendations on how our organization can improve?

    Additional Compliance Tips

    Obtaining a SOC 1 or SOC 2 report is a great way to support compliance initiatives, both for your own organization and for any client you might provide services to. If you’re looking for additional ways to support compliance, an archiving solution could be a smart investment.

    Simply put, an archiving solution is a centralized repository for all electronic business communications — email, text message, social media and more. It captures incoming and outgoing messages in real time, enabling organizations to create a tamper-proof record of correspondence for compliance (as well as eDiscovery and disaster recovery) purposes.

    To learn more about electronic archiving and how it can help support SOC 1 and SOC 2 compliance, contact the team at Intradyn today.

    Azam is the president, chief technology officer and co-founder of Intradyn. He oversees global sales and marketing, new business development and is responsible for leading all aspects of the company’s product vision and technology department.

    Questions to Ask
    Before Buying an Archiving Solution
    Get My Copy