System and Organization Controls 1 and 2 (SOC 1 and SOC 2) reports are both related to
internal controls within organizations, but they serve different purposes and audiences. Which
one is right for your organization? It will depend on the use case of the report and the nature of
your services. See below for a breakdown of each and how to determine which type of report
makes sense for you!
SOC 1:
So what is a SOC1? This type of report focuses on a service organization’s internal controls
relevant to their users’ financial reporting. If your organization performs a service that impacts
financial reporting data for your customers or their internal control over financial reporting, then
a SOC 1 may be relevant. SOC 1 reports often contain process and reporting information but
can also include details over general IT controls that could impact financial data or reporting.
SOC 1 examinations are conducted by an independent CPA firm and are based on Statements
on Standards for Attestation Engagements (SSAEs) issued by the Association of International
Certified Professional Accountants.
There are two types of SOC 1 examinations:
1. Type I – the auditor assesses the fairness of the presentation of the content within your
report and the appropriateness of the design of controls, including whether the controls
have been implemented, as of a point in time.
2. Type II, the auditor assesses both of the above, but also evaluates the operating
effectiveness of those controls over a period of time.
Why might you need a SOC1?
You provide a service or software that can impact financial reporting or internal control
over financial reporting for your customers. Such as companies who
- Service mortgages or other loans.
- Process transactions.
- Service payroll and/or employee benefit plans.
- Provide inventory management services or software.
- Provide claims processing services.
- Provide clearing house services.
- Have customers who have financial statement audits and whose auditors need information about your services.
SOC 2:
What is a SOC 2? SOC 2 reports focus on an organizations “system” and controls related to
security, availability, processing integrity, confidentiality, and/or privacy. In a SOC 2 report a
company describes the infrastructure, software, people, data, and procedures which encompass
a given service offering known as a “system”. SOC 2 reports are typically used by service
organizations to demonstrate the controls the entity has established and operated to achieve
any commitments the organization makes around security, availability, processing integrity,
confidentiality, and/or privacy to the company’s stakeholders (typically customers). SOC 2
reports are much broader in application than a SOC 1 as any company offering a service could
make such commitments, and any customer of a service could want some assurance over how
that organization is actually achieving and monitoring those commitments.
Similar to SOC 1s, a SOC 2 examination is governed by SSAEs and must be performed by a
licensed CPA firm.
Also similar to a SOC 1, there are two types of SOC 2 reports:
1. Type I – the auditor assesses that the report is presented in accordance with the
description criteria as outlined by the AICPA, and the appropriateness of the design of
controls, including the implementation of controls, to achieve the organization’s
commitments as of a point in time.
2. Type II – the auditor assesses both of the above, but also evaluates the operating
effectiveness of those controls over a period of time.
Why might you need a SOC 2?
You provide a service or software in which you handle, store, process, or manage data
for customers and you make commitments over the security, availability, processing
integrity, confidentiality, and/or privacy of those services. Such as:
- Cloud service providers
- Software as a service (SaaS) providers
- Managed service providers
- Data centers
- Data processors
- Healthcare technology companies
- Fintech companies
- Education technology companies
- Legal technology companies
- Any company making commitments around the handling of data
In Summary
While both SOC 1 and SOC 2 reports deal with controls within organizations, SOC 1 is focused
on controls related to financial reporting, while SOC 2 is focused on controls related to the Trust
Service Criteria (TSCs) relevant to security, availability, processing integrity, confidentiality,
and/or privacy.
So, which report is best for your organization?
If you are just getting started, choosing between SOC 1 and SOC 2 should be a decision based
on three factors:
1. What sort of services are you providing to your customers? (i.e., financial reporting
impact or not)
2. What sort of information are your customers and other stakeholders requesting (i.e., are
they requesting a specific type of report, are they asking about reporting or process
related information [SOC 1], or general security information [SOC 2])
3. What is the intended use of the report
a. Used by financial auditors of your customer (SOC 1)
b. Used by security department at your customer for vendor due diligence (SOC 2)
There can be a lot to consider when choosing the right reporting structure. It is generally a good
idea to reach out to an audit firm experienced in both types of reports to assist with the scoping.
At AssurancePoint we commonly perform both SOC 1 and SOC 2 examinations and would be
happy to help with your reporting needs. Feel free to reach
Written By:
Riley Myers
Riley is a senior associate at AssurancePoint. His primary role is supporting the SOC examination practice and assisting both clients and internal teams in the successful completion of SOC examinations.
Riley has spent the entirety of his career in professional services and serving clients in their information security and compliance needs across a variety of industries including fintech, legal tech, education tech, supply chain, healthcare, insurance, etc.
Riley is an advocate of audit quality and strives to deliver both quality and value through the audit process to his clients. Riley holds various security credentials and is an active member of the AICPA.