What are the differences and similarities between SOC 1 and SOC 2 reports?
SOC 1 Reports
SOC 1 reports focus on an organization’s business processes and IT controls and are specifically designed to meet the needs of entities that use service organizations and their external auditors as they evaluate the effect of the controls at the service organization on user entities’ financial statements. Use of these reports is restricted to the management of the service organization, user entities and user auditors.
Used by your customers' financial statement auditors to get comfort over the controls you perform that impact your customers' financial statements.
During a SOC 1 audit, you are required to have controls in place to meet control objectives.
Control objectives are defined by the organization being audited.
IT controls are included as part of the SOC 1 audit, but will not be as comprehensive as in a SOC 2 audit.
SOC 2 Reports
With SOC 2 reports, organizations decide which categories to include in the scope of the examination. This flexibility means reports are unique to each company while providing a consistent framework to evaluate whether organizations meet the criteria for the categories included in the examination. These examinations are designed for a broad range of users that need information and assurance about the controls at a service organization relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data, and the confidentiality and privacy of the information processed by these systems. The use of this report is restricted. These reports can play an important role in oversight of the organization, vendor management programs, and internal corporate governance and risk management processes.
Used by your customers to get comfort over the controls you have in place to ensure the security, availability, confidentiality, processing integrity, and privacy of their data and proprietary information.
During a SOC 2 audit, you are required to have controls in place to meet the AICPA's Trust Services Criteria.
The Trust Services Criteria are defined and cannot be altered.
Security controls are the primary focus, but processing integrity may include controls over financial operations.
SOC 1 and SOC 2 Similarities
The reports will include the same sections, but with different content.
Similar types of testing procedures will be performed.
CPA firms will use the same process to perform the audits.
Do I Need a SOC 1, SOC 2 or both?
To decide which one you need, ask the following questions:
Do we process financial transactions for customers? You need a SOC 1 and SOC 2.
Do we host customers' financial applications (i.e. cloud service providers/data centers) You need a SOC 1 and SOC 2.
Do our customers only require assurance over the security of their data? You only need a SOC 2.
If you need a SOC 1 Report, you will also need a SOC 2. This is because the security controls in a SOC 1 will not be comprehensive enough to meet the SOC 2 criteria.
Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients' expectations. If you are interested in learning how we can assist your organization, please contact us to get started or learn more about our practice at www.schneiderdowns.com/soc.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.