Many of our clients and prospects get asked for a “SOC report” without any further clarification. Also, many get asked for a SOC 1 and a SOC 2… so how do they know what they need? Do they need both? Just one? We get these questions all the time, and with a quick conversation, we can generally sort out what is really needed based on the services the organization is providing and who is asking for the report. The following information may help your organization determine which report is right.
What is a SOC Report?
SOC stands for “System and Organization Controls.” These were formerly Service Organization Control reports. SOC is a suite of reports from the AICPA that CPA firms can issue in connection with system-level controls at a service organization. Currently, there is a SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity report offering. In addition, there are SOC + reports where another standard can be added (i.e. HIPAA, HITRUST, NIST, etc.). The AICPA is working on additional SOC offerings to include in the suite.
For more information on these SOC report offerings, check out the following blogs:
- What is a SOC 1 Report? Expert Advice You Need to Know
- What is SOC 2? An Expert’s Guide to Audits, Reports, Attestation, & Compliance
- SOC 3 Reports: When do they make sense?
- Reporting on an Entity’s Cybersecurity Risk Management Program and Controls (SOC for Cybersecurity)
While there are a number of offerings of SOC reports from the AICPA, we will focus on SOC 1 and SOC 2, as these are the most common from the SOC suite.
What is the Difference Between a SOC 1 and a SOC 2 Report?
SOC 1 Reports: A SOC 1 report falls under the Statement on Standards for Attestation Engagements (SSAE) 18 AT-C 320 (formerly SSAE 16 or AT 801), though it is named a SOC 1 versus the name of the standard (reports are NOT called SSAE 18s). A SOC 1 report has a financial focus that includes a service organization’s controls relevant to an audit of a service organization’s client’s financials. The service organization (with the assistance of the auditors) will figure out what the key control objectives are for the services they are providing to their clients. Control objectives will be related to both information technology processes and business processes at the service organization.
A Type I SOC 1 report includes a description of controls (which is the design of the controls) at a service organization as of a specified date. A Type II SOC 1 report includes the same opinions on the description of controls, but it also includes an opinion on the operating effectiveness of controls over a specified period of time. Groups that would be interested in the results of the SOC 1 report could include executives (financial) at the user organization, financial auditors of the service org, or compliance officers.
SOC 2 Reports: A SOC 2 report also falls under the SSAE 18 standard, though it is specifically addressed in sections AT-C 105 and AT-C 205. The SOC 2 report includes a service organization’s controls that are outlined by the AICPA’s Trust Services Criteria (TSC), that are relevant to its services, operations, and compliance. There are five available criteria that include security, availability, processing integrity, confidentiality, and privacy. The security criteria, which are also referred to as the common criteria, is the only required criteria to be included in the SOC 2. The difference between SOC 1 and SOC 2 is that in a SOC 2 controls meeting the criteria are identified and tested, versus in a SOC 1 where controls meeting the identified control objectives are tested.
For more info on the available criteria please see the following blog posts:
A service organization can choose a SOC 2 report that includes just the security/common criteria or all five criteria, or a combination of the five criteria. The interested readers of the SOC 2 report may also be compliance officers, financial execs, and financial auditors, but could also be an organization’s IT execs, regulators, or partners.
In summary of the comparison of SOC 1 vs. SOC 2 reports:
- The SOC 1 addresses internal control relevant to a service organization’s client’s financial statements.
- The SOC 2 report addresses a service organization’s controls that are relevant to its operations and compliance, as outlined by the AICPA’s Trust Services Criteria (TSC).
What are SOC Controls/Criteria?
There is some flexibility around the controls that can be included in a SOC report. While the AICPA has set criteria that have to be tested in a SOC 2, there can still be flexibility on the controls in place to meet the criteria. For a SOC 1, there are no set criteria that have to be met, but rather control objectives have to be defined that address the services being provided. Controls are then identified to meet the control objectives and those are what are tested and included in the examination. An easy example of the flexibility in controls is around physical access to a facility. Restricting access to the facility could be via card key, biometrics, brass key, or full-time security guard. All of these are controls that would support the criteria or control objective.
What is the Difference Between a Type I and a Type II in a SOC Report?
We discuss above the difference between a SOC 1 and a SOC 2, but within each of these examinations, the reports can be a type I or a type II.
A type I examination looks at the description or design of controls as of a specified date. The report for a type I includes the same sections as the type II, there is just no testing included outside of a test of one to confirm the description or design of controls.
A type II examination also looks at the design of controls, but additionally includes testing of the operating effectiveness of controls over a period of time. A type II report covers a minimum of six months (there are exceptions to this, but as a general rule six months is the minimum). The goal of an organization is to have the type II cover 12 months and then have annual type II reports to have continual coverage of controls.
If a service organization needs to get an initial report to a client or prospect quickly, the initial report can be a type I to show evidence of controls in place. If there is not a rush to get an initial report out quickly, we generally recommend starting with a type II.
Do Some Service Organizations Need Both a SOC 1 and SOC 2?
There are instances when a service organization gets asked for and receives both a SOC 1 and SOC 2 examination. We have a number of clients that provide services that span across different industries and therefore get asked for a SOC 1 from some of their clients and a SOC 2 from other clients. There can be an overlap in the testing included in the reports, which can provide efficiencies in testing.
Summary
A SOC 1 report is designed to address internal controls over financial reporting while a SOC 2 report addresses a service organization’s controls that are relevant to their operations and compliance. One or both could be right for your organization. At Linford & Company we can help determine the correct report or reports to meet your needs.
If you are interested in getting additional information about SOC examination, or any of the other services we provide, please click on the following links: SOC 1, SOC 2, HIPAA audits, Royalty Audits, FedRAMP, Processing Integrity.
Nicole Hemmer started her career in 2000. She is the co-founder of Linford & Co., LLP. Prior to Linford & Co., Nicole worked for Ernst & Young in Indianapolis, Chicago, and Denver. She specializes in SOC examinations and royalty audits and loves the travel and challenge that comes with clients across all industries. Nicole loves working with her clients to help them through examinations for the first time and then working together closely after that to have successful audits.