SOC 1 vs SOC 2: Choosing the Right Examination

System and Organization Controls 1 and 2 (SOC 1 and SOC 2) reports are both related to
internal controls within organizations, but they serve different purposes and audiences. Which
one is right for your organization? It will depend on the use case of the report and the nature of
your services. See below for a breakdown of each and how to determine which type of report
makes sense for you!

SOC 1:

So what is a SOC1? This type of report focuses on a service organization’s internal controls
relevant to their users’ financial reporting. If your organization performs a service that impacts
financial reporting data for your customers or their internal control over financial reporting, then
a SOC 1 may be relevant. SOC 1 reports often contain process and reporting information but
can also include details over general IT controls that could impact financial data or reporting.
SOC 1 examinations are conducted by an independent CPA firm and are based on Statements
on Standards for Attestation Engagements (SSAEs) issued by the Association of International
Certified Professional Accountants.

There are two types of SOC 1 examinations:

1. Type I – the auditor assesses the fairness of the presentation of the content within your
report and the appropriateness of the design of controls, including whether the controls
have been implemented, as of a point in time.

2. Type II, the auditor assesses both of the above, but also evaluates the operating
effectiveness of those controls over a period of time.

Why might you need a SOC1?

You provide a service or software that can impact financial reporting or internal control
over financial reporting for your customers. Such as companies who

  • Service mortgages or other loans.
  • Process transactions.
  • Service payroll and/or employee benefit plans.
  • Provide inventory management services or software.
  • Provide claims processing services.
  • Provide clearing house services.
  • Have customers who have financial statement audits and whose auditors need information about your services.

SOC 2:

What is a SOC 2? SOC 2 reports focus on an organizations “system” and controls related to
security, availability, processing integrity, confidentiality, and/or privacy. In a SOC 2 report a

company describes the infrastructure, software, people, data, and procedures which encompass
a given service offering known as a “system”. SOC 2 reports are typically used by service
organizations to demonstrate the controls the entity has established and operated to achieve
any commitments the organization makes around security, availability, processing integrity,
confidentiality, and/or privacy to the company’s stakeholders (typically customers). SOC 2
reports are much broader in application than a SOC 1 as any company offering a service could
make such commitments, and any customer of a service could want some assurance over how
that organization is actually achieving and monitoring those commitments.

Similar to SOC 1s, a SOC 2 examination is governed by SSAEs and must be performed by a
licensed CPA firm.

Also similar to a SOC 1, there are two types of SOC 2 reports:

1. Type I – the auditor assesses that the report is presented in accordance with the
description criteria as outlined by the AICPA, and the appropriateness of the design of
controls, including the implementation of controls, to achieve the organization’s
commitments as of a point in time.

2. Type II – the auditor assesses both of the above, but also evaluates the operating
effectiveness of those controls over a period of time.

Why might you need a SOC 2?

You provide a service or software in which you handle, store, process, or manage data
for customers and you make commitments over the security, availability, processing
integrity, confidentiality, and/or privacy of those services. Such as:

  • Cloud service providers
  • Software as a service (SaaS) providers
  • Managed service providers
  • Data centers
  • Data processors
  • Healthcare technology companies
  • Fintech companies
  • Education technology companies
  • Legal technology companies
  • Any company making commitments around the handling of data

In Summary

While both SOC 1 and SOC 2 reports deal with controls within organizations, SOC 1 is focused
on controls related to financial reporting, while SOC 2 is focused on controls related to the Trust
Service Criteria (TSCs) relevant to security, availability, processing integrity, confidentiality,
and/or privacy.

So, which report is best for your organization?
If you are just getting started, choosing between SOC 1 and SOC 2 should be a decision based
on three factors:

1. What sort of services are you providing to your customers? (i.e., financial reporting
impact or not)
2. What sort of information are your customers and other stakeholders requesting (i.e., are
they requesting a specific type of report, are they asking about reporting or process
related information [SOC 1], or general security information [SOC 2])
3. What is the intended use of the report
a. Used by financial auditors of your customer (SOC 1)
b. Used by security department at your customer for vendor due diligence (SOC 2)

There can be a lot to consider when choosing the right reporting structure. It is generally a good
idea to reach out to an audit firm experienced in both types of reports to assist with the scoping.
At AssurancePoint we commonly perform both SOC 1 and SOC 2 examinations and would be
happy to help with your reporting needs. Feel free to reach

Written By:

Riley Myers

Riley is a senior associate at AssurancePoint. His primary role is supporting the SOC examination practice and assisting both clients and internal teams in the successful completion of SOC examinations.

Riley has spent the entirety of his career in professional services and serving clients in their information security and compliance needs across a variety of industries including fintech, legal tech, education tech, supply chain, healthcare, insurance, etc.

Riley is an advocate of audit quality and strives to deliver both quality and value through the audit process to his clients. Riley holds various security credentials and is an active member of the AICPA.

Why SOC Examinations Matter for C-Suite Executives

In today’s rapidly evolving digital landscape, the stakes for securing sensitive data are higher than ever. For C-suite executives such as CISOs, CTOs, CIOs the need for efficient and verifiable security practices is essential. System and Organization Controls...

Security Events vs. Security Incidents

Security Events vs. Security Incidents

In the world of cybersecurity, a common misunderstanding often exists within organizations - the distinction between security events and security incidents. We audit a lot of organizations’ incident management protocols, and the lack of a distinction between event...

How to Evaluate Auditors 2

How to Evaluate Auditors

Selecting an audit firm can, and probably should, feel daunting. After all, you hopefully will work with this firm for many years to come, so it shouldn’t be a rushed decision. Many organizations make the mistake of letting cost be the primary driver of choosing an...

Factors That Create a Positive Compliance Experience

Factors That Create a Positive Compliance Experience

There is no doubt in my mind that I have seen vastly more audit horror stories and unsatisfied auditees on public forums and social media than I have seen people raving about a positive audit experience. Auditing is an extremely tough profession, and we auditors...

How to Prepare for a SOC 2 Security Assessment 2

How to Prepare for a SOC 2 Security Assessment

Security assessments, such as SOC 2 reports, are increasingly becoming a requirement in modern business. Organizations often approach us needing a SOC 2 but need help knowing where to start. So, let's break down the significant steps in preparing for a SOC 2....