Many of our clients and prospects get asked for a “SOC report” from their clients or customers without any further clarification. Also, many get asked for a SOC 1 and a SOC 2… so how do they know what they need? Do they need both? Just one? We get these questions all the time, and with a quick conversation, we can generally sort out what is really needed based on the services the organization is providing and who is asking for the report. The following information may help your organization determine which report is right.
What is a SOC Report & Where Do the Requirements Come From?
SOC stands for “System and Organization Controls.” These were formerly Service Organization Control reports. SOC is a suite of reports from the AICPA that third parties (CPA firms) can issue in connection with system-level controls at a service organization. Currently, there is a SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity report offering. In addition, there are SOC + reports where another standard or framework can be mapped into the SOC report (i.e. HIPAA, HITRUST, NIST, etc.). The SOC 2 + reports are just a mapping to those standards or frameworks and do not provide certification for them. The AICPA is working on additional SOC offerings to include in the suite.
For more information on these SOC report offerings (or how they compare), check out the following blogs:
- SOC 2 Considerations for SaaS Providers from an Audit Professional
- SOC 2 + HITRUST: How Your Organization Could Benefit From Both
- What is the NIST Cybersecurity Framework & How Does SOC 2 Map to It?
- SOC 2 vs. HIPAA: What’s the Difference Between a SOC 2 Report & a HIPAA Report?
While there are a number of offerings of SOC reports from the AICPA, we will focus on SOC 1 and SOC 2, as these are the most common from the SOC suite.
What is the Difference Between a SOC 1 and a SOC 2 Report?
SOC 1 and SOC 2 reports can have a lot of overlap in the control activities that are covered in the report. However, the guidance falls under different AICPA standards, and the intended reader of the report has an impact on whether a SOC 1 or SOC 2 is needed.
SOC 1 Reports
A SOC 1 report falls under the Statement on Standards for Attestation Engagements (SSAE) 18 AT-C 320 (formerly SSAE 16 or AT 801). It is named a SOC 1 versus the name of the standard (reports are NOT called SSAE 18s). A SOC 1 report has a financial focus that includes a service organization’s controls relevant to an audit of a service organization’s client’s financials. The service organization (with the assistance of the auditors) will figure out what the key control objectives are for the services they are providing to their clients. Control objectives will be related to both information technology processes and business processes at the service organization.
SOC 2 Reports
A SOC 2 report also falls under the SSAE 18 standard AT-C 105 and the SSAE 21 standard AT-C 205. The SOC 2 report includes a service organization’s controls that are outlined by the AICPA’s Trust Services Criteria (TSC), and that are relevant to its services, operations, and compliance. There are five available criteria that include security, availability, processing integrity, confidentiality, and privacy. The security criteria, which are also referred to as the common criteria, are the only required criteria to be included in the SOC 2. The difference between SOC 1 and SOC 2 in reference to these controls and criteria are as follows:
- In a SOC 2, controls meeting the criteria are identified and tested.
- In a SOC 1, controls meeting the identified control objectives are tested.
A service organization can choose a SOC 2 report that includes just the security/common criteria, all five criteria, or a combination of the five criteria. The interested readers of the SOC 2 report may also be compliance officers, financial execs, and financial auditors, but could also be an organization’s IT execs, regulators, or partners.
In summary of the comparison of SOC 1 vs. SOC 2 reports:
- The SOC 1 addresses internal control relevant to a service organization’s client’s financial statements.
- The SOC 2 report addresses a service organization’s controls that are relevant to its operations and compliance, as outlined by the AICPA’s Trust Services Criteria (TSCs).
What are SOC Controls/Criteria?
There is some flexibility around the controls that can be included in a SOC report. While the AICPA has set criteria that have to be tested in a SOC 2, there can still be flexibility on the controls in place to meet the criteria. For a SOC 1, there are no set criteria that have to be met, but rather control objectives have to be defined that address the services being provided. Controls are then identified to meet the control objectives and those are what are tested and included in the examination.
An easy example of the flexibility in controls is around physical access to a facility. Restricting access to the facility could be via card key, biometrics, brass key, or full-time security guard. All of these are controls that would support the criteria or control objective. The service organization owns and is responsible for its control activities, though the auditor can help identify the control objectives and control activities in place at the service organization.
What is the Difference Between a Type I & a Type II in a SOC Report?
We discuss above the difference between a SOC 1 and a SOC 2, but within each of these examinations, the reports can be a type I or a type II.
A type I examination looks at the description or design of controls as of a specified date. The report for a type I includes the same sections as the type II, there is just no testing included outside of a test of one to confirm the description or design of controls.
A type II examination also looks at the design of controls, but additionally includes testing of the operating effectiveness of controls over a period of time. A type II report covers a minimum of six months (there are exceptions to this, but as a general rule six months is the minimum). The goal of an organization is to have the type II cover 12 months and then have annual type II reports to have continual coverage of controls.
If a service organization needs to get an initial report to a client or prospect quickly, the initial report can be a type I to show evidence of controls in place. If there is not a rush to get an initial report out quickly, we generally recommend starting with a type II.
Do Some Service Organizations Need Both a SOC 1 & SOC 2?
There are instances when a service organization gets asked for and receives both a SOC 1 and SOC 2 examination. We have a number of clients that provide services that span across different industries and therefore get asked for a SOC 1 from some of their clients and a SOC 2 from other clients. There can be an overlap in the testing included in the reports, which can provide efficiencies in testing when the examinations are completed at the same time.
How Can I Ensure My Organization is Ready for a SOC 1 or SOC 2 Audit?
Once it has been determined whether a SOC 1 or SOC 2 is required (or both) and whether a type 1 or type 2 report will be the first report, the service organization then needs to prepare for the examination. A readiness assessment can be beneficial to validate that controls are in place to meet the control objectives or control criteria. At Linford & Company, we prefer to complete the readiness assessment for our new clients to make sure the first examination is successful. For additional information on readiness assessment please see our blog post on SOC readiness assessments.
Summary
A SOC 1 report is designed to address internal controls over financial reporting, while a SOC 2 report addresses a service organization’s controls that are relevant to their operations and compliance. One or both could be right for your organization. At Linford & Company, we can help determine the correct report or reports to meet your needs.
If you are interested in getting additional information about a SOC examination, or any of the other services we provide, please click on the following links: SOC 1 services, SOC 2 services, HIPAA compliance audit services, and FedRAMP compliance certification services.
This article was originally published on 5/26/2020 and was updated on 4/5/2023.
Nicole Hemmer started her career in 2000. She is the co-founder of Linford & Co., LLP. Prior to Linford & Co., Nicole worked for Ernst & Young in Indianapolis, Chicago, and Denver. She specializes in SOC examinations and royalty audits and loves the travel and challenge that comes with clients across all industries. Nicole loves working with her clients to help them through examinations for the first time and then working together closely after that to have successful audits.