SOC 1 vs. SOC 2 – What is the Difference?
SOC 1 and SOC 2 audit reports are valuable attestation reports on controls at a service organization. Both SOC reports are the established industry standard for assessing and evaluating a service organization’s internal controls, and therefore a necessity for companies to manage the risk of using service organizations. The two SOC reports are very different, and each report is designed for specific users and each report achieves very different goals for a service organization. It is important to know the differences between each report to ensure an organization gets the correct SOC report.
SOC 1 Audits
The SOC 1 report focuses on the design and operating effectiveness of a service organization’s internal controls relevant to financial reporting (ICFR). SOC 1 audits are conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) 18 AT-C Section 320. The audit report provides an assurance opinion to service organization users on the operating effectiveness of the ICFR objectives. The report gives customers and their auditors the appropriate assurance over the internal controls to rely on the results of information processed by the service organization. What types of service organizations should be getting a SOC 1 report? SOC 1 is relevant to service organizations that offer financial services including those that provide processes over billing, payroll, and other services impacting financial reporting for customers.
SOC 1 reports have two reporting options. The Type 1 report provides an audit opinion on the design effectiveness of internal controls over financial reporting at the service organization at a point in time. The Type 2 report provides an audit opinion on the design and operating effectiveness of internal controls over financial reporting over a period of time, typically six months to one year.
SOC 2 Audits
A SOC 2 audit provides an organization’s customers and vendors with an assurance opinion relevant to the service organization’s internal controls over information security. A SOC 2 audit evaluates a service organization’s controls relevant to security, availability, processing integrity, confidentiality, and privacy. The report provides users with a valuable opinion on whether the service organization’s controls are well-designed and operating effectively to protect customer information. Unlike SOC 1, which focuses on internal controls over financial reporting, SOC 2 audits focus on assurance of broader security and privacy practices at the service organization.
The SOC 2 audit is based upon internal controls relevant to the American Institute of Certified Public Accountants (AICPA) Trust Services Framework, called the “Trust Services Criteria,” which the AICPA defines as:
- Security – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise availability, integrity, confidentiality, and privacy of information or systems.
- Availability – Information and systems are available for operation and use.
- Processing Integrity – System processing is complete, valid, accurate, timely, and authorized.
- Confidentiality – Information designated as confidential is protected.
- Privacy – Personal information is collected, used, retained, disclosed, and disposed of appropriately.
Similar to SOC 1, SOC 2 has two reporting options relevant to the internal controls required to meet the Trust Services Criteria. The Type 1 report provides an opinion on the design effectiveness of internal controls appropriate to the applicable Trust Services Criteria at a point in time. The Type 2 report provides an audit opinion on the design and operating effectiveness of internal controls relevant to the applicable Trust Services Criteria over a period of time, typically six months to one year.
Before assessing and determining the appropriate SOC report for your organization, it may be useful to have a consultation with McKonly & Asbury to determine the report that is best based on your organization’s needs. For more information, be sure to visit our System and Organization Controls (SOC) service page, and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA with further questions regarding SOC 2 reports and our services.
About the Author
Josh joined McKonly & Asbury in 2006 and is currently a Director with the firm. He is a key member of the firm’s Audit & Assurance Segment, primarily working with clients in the firm’s Service Organization Controls (SOC) Practice.… Read more