Many of our clients and prospects get asked for a “SOC report” without any further clarification. Also, many get asked for a SOC 1 and a SOC 2… so how do they know what they need? Do they need both? Just one? We get these questions all the time, and with a quick conversation, we can generally sort out what is really needed based on the services the organization is providing and who is asking for the report. The following information may help your organization determine which report is right.
What is a SOC Report?
SOC stands for “System and Organization Controls.” These were formerly Service Organization Control reports. SOC is a suite of reports from the AICPA that CPA firms can issue in connection with system-level controls at a service organization. Currently there is a SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity report offering. In addition, there are SOC + reports where another standard can be added (i.e. HIPAA, HITRUST, NIST, etc.). The AICPA is working on additional offerings, with the next report offering being SOC for Vendor Supply Chain.
While there are a number of offerings of SOC reports from the AICPA, we will focus on SOC 1 and SOC 2, as these are the most common from the SOC suite.
What is the Difference Between a SOC 1 and a SOC 2 Report?
SOC 1 Reports: A SOC 1 report falls under the Statement on Standards for Attestation Engagements (SSAE) 18 AT-C 320 (formerly SSAE 16 or AT 801), though is named a SOC 1 versus the name of the standard (reports are NOT called SSAE 18s). The SOC 1 report focuses on a service organization’s controls that are relevant to an audit of a service organization’s client’s financial statements. The service organization will determine the key control objectives for the services provided to clients. Control objectives are related to both business process and information technology process at the service organization. A SOC 1 Type I report includes a description of controls (design) at a service organization’s as of a specific date. A SOC 1 Type II report contains the same opinions on the design of controls, but it additionally includes an opinion on the operating effectiveness of controls over a period of time. The SOC 1 report addresses internal controls relevant to an audit of a service organization’s client’s financial statements. Readers of SOC 1 reports could include financial executives at a user organization, compliance officers, and financial auditors of the service organization.
SOC 2 Reports: A SOC 2 report also falls under the SSAE 18 standard, though is specifically addressed in sections AT-C 105 and AT-C 205. The SOC 2 report addresses a service organization’s controls that are relevant to their operations and compliance, as outlined by the AICPA’s Trust Services Criteria (TSC). The available TSCs include security, availability, processing integrity, confidentiality, and privacy. The security TSC is the only required TSC in the SOC 2. Controls meeting the TSCs included in the examination are identified and tested, versus in a SOC 1 where controls supporting identified control objectives are tested.
For additional information on the available TSC’s please see the following blog posts:
A service organization can choose a SOC 2 report that focuses on just the security TSC or all five TSCs, or a combination or the five TSCs available. The readers of SOC 2 reports can also be an organization’s financial executives, compliance officers, and financial statement auditors, but can also include an organization’s information technology executives, business partners, regulators, or other business partners.
To summarize the comparison of SOC 1 vs. SOC 2:
- The SOC 1 report addresses internal controls relevant to an audit of a service organization’s client’s financial statements.
- The SOC 2 report addresses a service organization’s controls that are relevant to their operations and compliance, as outlined by the AICPA’s Trust Services Criteria (TSC).
What is the Difference Between a Type I and a Type II in a SOC Report?
We discuss above the difference between a SOC 1 and a SOC 2, but within each of these examinations, the reports can be a type I or a type II.
A type I examination looks at the description or design of controls as of a specified date. The report for a type I includes the same sections as the type II, there is just no testing included outside of a test of one to confirm the description or design of controls.
A type II examination also looks at the design of controls, but also includes testing of the operating effectiveness of controls over a period of time. A type II report covers a minimum of six months (there are exceptions to this, but as a general rule six months is the minimum). The goal of an organization is to have the type II cover 12 months and then have annual type II reports to have continuance coverage of controls.
If a service organization needs to get an initial report to a client or prospect quickly, the initial report can be a type I to show evidence of controls in place. If there is not a rush to get an initial report out quickly, we generally recommend starting with a type II.
Do Some Service Organizations Need Both a SOC 1 and SOC 2?
There are instances when a service organization gets asked for and receives both a SOC 1 and SOC 2 examination. We have a number of clients that provide services that span across different industries and therefore get asked for a SOC 1 from some of their clients and a SOC 2 from other clients. There can be overlap in the testing included in the reports, which can provide efficiencies in testing.
A SOC 1 report is designed to address internal controls over financial reporting while a SOC 2 report addresses a service organization’s controls that are relevant to their operations and compliance. One or both could be right for your organization. At Linford & Company we can help determine the correct report or reports to meet your needs.
If you are interested in getting additional information about SOC examination, or any of the other services we provide, please click on the following links: SOC 1, SOC 2, HIPAA audits, Royalty Audits, FedRAMP, Processing Integrity.