SOC 1 vs. SOC 2: What’s the Difference?
If your company provides services to other organizations, you’ve likely been asked to produce a SOC report at some point. At a high level, SOC reports are a way for service organizations to demonstrate that they’ve established strong internal controls for their information systems.
Though that might seem fairly straightforward, there are two primary types of SOC reports, each of which pertains to a different set of internal controls. Without specific guidance, it can be unclear as to which type of SOC report a current or prospective client is looking for.
SOC 1 and SOC 2 reports and explain what they are, how they differ, how to determine which one you need.
In this article, we’ll look ad and more.
What are SOC Reports?
System and Organization Controls (SOC) reports — formerly known as Service Organization Control reports — are audit reports supplied by the American Institute of Certified Public Accountants (AICPA) that validate whether a third-party vendor has established effective internal controls on information systems. These controls can range from anywhere from restricting system access to authorized users to conducting penetration tests to identify potential vulnerabilities.
Third-party vendors are known as “service organizations” in SOC parlance; the companies they provide services to are known as “user entities.”
Consequently, any CPA who conducts SOC 1 and SOC 2 audits on behalf of a service organization is known as a “service auditor,” and any CPA who conducts an audit on behalf of a user entity is known as a “user auditor.”
Although SOC reports are not mandated, they can help support compliance initiatives and inspire confidence in a service organization’s security protocols and procedures amongst user entities.
SOC 1 vs. SOC 2: What’s the Difference?
As noted in our introduction, there are two primary types of SOC audit and report: SOC 1 and SOC 2.
The SOC 1 auditing procedure addresses a service organization’s internal controls over financial reporting (ICFR). Service organizations preparing to undergo a SOC 1 audit are responsible for determining their own key control objectives — that is, the risks that controls are meant to prevent — pertaining to the processing and secure storage of customer information. Performance and reporting requirements for SOC 1 audits, as well as application guidelines for any CPA performing a SOC 1 audit, can be found in AT-C Section 320 of Statements on Standards for 18 Attestation Engagements (SSAE 18).
A SOC 1 audit can result in two different types of reports, appropriately named Type 1 and Type 2 reports. The AICPA defines these reports as follows:
- SOC 1 Type 1: “Report[s] on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.”
- SOC 1 Type 2: “Report[s] on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.”
The use of SOC 1 Type 1 and Type 2 reports are restricted to the management of the service organization, user entities and user auditors.
A SOC 2 audit is similar to a SOC 1 audit, except it addresses a service organization’s internal controls over cloud and data center security. The SOC 2 framework is based on five Trust Services Criteria (TSC): security, availability, processing integrity, confidentiality and privacy.
Service organizations are responsible for determining which of these TSC are relevant to the services they offer to their customers; CPAs can perform a SOC 2 audit based on just one of these TSC, all five, or some combination of the five. Additional performance and reporting requirements, as well as application guidance, can be found in AT-C Section 105 and AT-C Section 205 of SSAE 18.
Once a service organization has selected the appropriate TSC, the CPA will use this criteria to:
“…evaluate and report on controls over information and systems (a) across an entire entity; (b) at a subsidiary, division, or operating unit level; (c) within a function relevant to the entity’s operational, reporting, or compliance objectives; or (d) for a particular type of information used by the entity.”
Again, much like SOC 1, there are two types of SOC 2 reports. I.S. Partners, a CPA firm that specializes in performing SOC 2 audits, defines them as follows:
- SOC 2 Type 1: “This type of audit examines the controls that service organizations use to address any or all five of the Trust Service Criteria. This audit type describes the service organizations’ systems and provides assurance that controls are effectively designed to meet relevant trust criteria at a specific point in time.”
- SOC 2 Type 2: “This audit type includes additional attestation that a service organization’s controls undergo testing for operating effectiveness over a period of time. User organizations and their auditing team generally select six months for the period of time to evaluate.”
The use of both SOC 2 Type 1 and SOC 2 Type 2 reports are restricted to the management of the service organization, current and user entities, user entities’ business partners and user auditors.
There is, however, a third form of SOC audit report that can be freely distributed; known as SOC 3, it is a general report demonstrating SOC 2 compliance that can be made available to the public.
|SOC Reports at a Glance|
SOC 1 vs. SOC 2: Which One Do I Need?
Whether your organization would benefit from obtaining a SOC 1 or SOC 2 audit report depends on a few different factors.
Your organization may want to consider SOC 1 Type 1 or Type 2 audit if:
- The service it provides impacts or has the potential to impact customers’ financial reporting. For example, if your company offers outsourced payroll services or billing and collections services, it’s in your best interest to secure a SOC 1 report.
- The customers you serve need to comply with the Sarbanes-Oxley Act (SOX). SOX includes specific provisions pertaining to internal accounting controls, so it’s imperative that any user entity subject to SOX be able to verify that its service organizations are SOC 1 compliant.
You might also consider a SOC 1 audit if a customer requests it, if your organization has never been audited before or if you’ve recently updated your ICFR. In any case, a SOC 1 report can help your company create transparency, strengthen relationships with existing customers and stakeholders and offer a competitive advantage when acquiring new business.
By comparison, a SOC 2 Type 1 or SOC 2 Type 2 audit is a smart choice for any service organization that processes or hosts user entity data, such as a Software as a Service provider or a cloud service platform. A SOC 2 report is a great way to prove to current and prospective customers that your company takes data security seriously, and that you’ve implemented the necessary security measures to prevent potential security breaches.
Depending on the type of services your company provides and the customers you serve, you might even consider SOC 1 and SOC 2 reports.
SOC 1 vs. SOC 2: Audit Procedure
SOC 1 and SOC 2 engagements follow slightly different processes, which we’ll explore below.
All SOC 1 engagements are broken into three general phases:
- Planning: Management of a service organization works with the service auditor (a CPA or accountancy firm) to define the scope of the engagement, including the period covered by the SOC 1 report (Type 1 or Type 2); the control objectives; and management’s description of the service organization’s system.
“Management’s description of the service organization’s system” is simply a written description of the service a company provides to its customers; it may also include information about the period to which that description applies, the specified control objectives, who was responsible for specifying control objectives and any related controls.
An “assertion” — also known as “management’s assertion” or a “service organization’s assertion” — is a service organization’s declaration as to whether its internal controls meet the requisite criteria.
- Evaluation: Management prepares and establishes a basis for its assertion and coordinates testing with the service auditor. The evaluation phase can take several months to complete.
- Reporting: Management finalizes its assertion, reads the service auditor’s report, reviews any deficiencies identified during the audit and provides a letter of representations to the service auditor.
For a more detailed explanation of this process — and the terminology involved — we recommend reading the AICPA’s Information for Management of a Service Organization in a SOC 1 Engagement.
During a SOC 2 examination, a service auditor will evaluate the effectiveness of controls within a service organization’s cybersecurity risk management program according to the AICPA’s five TSC. The process itself can include anything from employee interviews and systems testing to records requests and filling out paperwork.
Generally speaking, service auditors are looking for the following controls and policies:
- Access controls
- Disaster recovery
- Intrusion detection
- Network and application firewalls
- Performance monitoring
- Process monitoring
- Quality assurance
- Security incident handling
- Two-factor authentication
Once the audit is complete, the service auditor will generate a detailed attestation report based on their findings. The contents of this report are similar to those of a SOC 1 report and can include details on the scope and purpose of the audit, notes on the adherence to the selected TSC, management’s assertion, the service auditor’s final determination and so on.
As a reminder, the results of a SOC 2 report can only be shared internally; service organizations that wish to share their results with the general public will need to undergo a SOC 3 examination.
SOC 1 vs. SOC 2: How to Prepare
It isn’t just the audits themselves that differ — the guidance for preparing for a SOC 1 vs. a SOC 2 examination also looks a bit different:
How Can I Find the Right SOC Auditor?
Whether you want to complete a SOC 1 or a SOC 2 audit, you’ll need a service auditor to conduct your examination. Here are a few questions to ask when evaluating different service auditors to ensure they’re qualified for the job:
- Are you or your firm affiliated with the AICPA?
- Do you have prior experience conducting SOC examinations?
- Do you have prior experience auditing companies of our size?
- Do you have prior experience auditing companies within our industry?
- When were you last peer-reviewed?
- Can you describe your standard quality review process?
- How long does it typically take for you to complete an audit, from start to finish?
- As part of your final report, will you provide recommendations on how our organization can improve?
Additional Compliance Tips
Obtaining a SOC 1 or SOC 2 report is a great way to support compliance initiatives, both for your own organization and for any client you might provide services to. If you’re looking for additional ways to support compliance, an archiving solution could be a smart investment.
Simply put, an archiving solution is a centralized repository for all electronic business communications — email, text message, social media and more. It captures incoming and outgoing messages in real time, enabling organizations to create a tamper-proof record of correspondence for compliance (as well as eDiscovery and disaster recovery) purposes.
To learn more about electronic archiving and how it can help support SOC 1 and SOC 2 compliance, contact the team at Intradyn today.