Our firm has spent a fair amount of time discussing the differences between SSAE 16 (SOC 1, formerly SAS 70) and AT 101 (SOC 2) audit reports with many individuals from a significant number of companies in a variety of industries. So what are the differences? In short, the structure and the content of the reports are not significantly different; it is the recipients of the reports that are different. It is a nuanced, though important, difference. The descriptions below are from the American Institute of Certified Public Accountants (AICPA) and accurately describe the different uses of the two reports.
SOC 1 Report
These reports are intended to meet the needs of entities that use service organizations (user entities) and the CPAs who audit the user entities’ financial statements (user auditors) when evaluating the effect of controls at the service organization on the user entities’ financial statements. User auditors use these reports to plan and perform audits of the user entities’ financial statements. SOC 1 engagements are performed under Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (AICPA, Professional Standards, AT sec. 801), and the AICPA Guide Service Organization’s Applying SSAE No. 16, Reporting on Controls at a Service Organization. In other words, if the service organization plays a role in their clients’ financials (including hosting systems, such as Oracle or SAP financials), then a SOC 1 audit report is the correct choice.
SOC 2 Report
These reports are intended to meet the needs of a broad range of users who need information and assurance about controls at a service organization that affect the security, availability, or processing integrity of the systems that the service organization uses to process users’ data or the confidentiality or privacy of the information processed by these systems. Examples of stakeholders who may need these reports are management or those charged with governance of the user entities and service organization, customers of the service organization, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls. These engagements are performed under AT section 101, Attest Engagements (AICPA, Professional Standards), and the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. Simply put, every service organization that does not fall into the SOC 1 criteria should obtain a SOC 2 audit report.
So what should a service or user organization do?
Service organizations are now in the unforeseen position of receiving requests for both types of reports. Since a service organization may have clients (i.e., user organizations) that meet the criteria for both reports, it is inevitable that a service organization will have to obtain both types of reports. For example, this is becoming a more common situation with data center companies, though it is not unique to them. Service and user organizations should simply discuss which report is needed while understanding that the content of a SOC 1 or a SOC 2 report is often as closely related as the names of the reports themselves.