SOC 1 vs SOC 2 Audit Reports

Our firm has spent a fair amount of time discussing the differences between SSAE 16 (SOC 1, formerly SAS 70) and AT 101 (SOC 2) audit reports with many individuals from a significant number of companies in a variety of industries.  So what are the differences?  In short, the structure and the content of the reports are not significantly different; it is the recipients of the reports that are different.  It is a nuanced, though important, difference.  The descriptions below are from the American Institute of Certified Public Accountants (AICPA) and accurately describe the different uses of the two reports.

SOC 1 Report

These reports are intended to meet the needs of entities that use service organizations (user entities) and the CPAs who audit the user entities’ financial statements (user auditors) when evaluating the effect of controls at the service organization on the user entities’ financial statements.  User auditors use these reports to plan and perform audits of the user entities’ financial statements.  SOC 1 engagements are performed under Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (AICPA, Professional Standards, AT sec. 801), and the AICPA Guide Service Organization’s Applying SSAE No. 16, Reporting on Controls at a Service Organization.  In other words, if the service organization plays a role in their clients’ financials (including hosting systems, such as Oracle or SAP financials), then a SOC 1 audit report is the correct choice.

SOC 2 Report

These reports are intended to meet the needs of a broad range of users who need information and assurance about controls at a service organization that affect the security, availability, or processing integrity of the systems that the service organization uses to process users’ data or the confidentiality or privacy of the information processed by these systems.  Examples of stakeholders who may need these reports are management or those charged with governance of the user entities and service organization, customers of the service organization, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls.  These engagements are performed under AT section 101, Attest Engagements (AICPA, Professional Standards), and the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.  Simply put, every service organization that does not fall into the SOC 1 criteria should obtain a SOC 2 audit report.

So what should a service or user organization do?

Service organizations are now in the unforeseen position of receiving requests for both types of reports.  Since a service organization may have clients (i.e., user organizations) that meet the criteria for both reports, it is inevitable that a service organization will have to obtain both types of reports.  For example, this is becoming a more common situation with data center companies, though it is not unique to them.  Service and user organizations should simply discuss which report is needed while understanding that the content of a SOC 1 or a SOC 2 report is often as closely related as the names of the reports themselves.

2 thoughts on “SOC 1 vs SOC 2 Audit Reports

  1. Thu – Thank you for your post; however, you and April Sage are incorrect. The service auditor for a type one must evaluate the suitability of the crontrol criteria (see AT801.13-.17) of the standard. Neither the service organzation or the service auditor can cherry pick. Also, ask anyone on the AICPA SSAE 16 Task Force or the SOC Task Force (hint: some of the members are the same) and they will confirm this. Both the SOC 1 and the SOC 2 should be the same scope for a data center company.

Leave a Reply

Your email address will not be published. Required fields are marked *