SOC 1 vs. SOC 2: What is the Difference?

It can be easy to confuse the difference between a SOC 1 and SOC 2 assessment. Both frameworks attest to organizational control, but the frameworks vary in focus depending on audience and need. Keeping up with compliance regulations might be demanding, particularly if you are confused about where to start.

What is a SOC Assessment?

To start, a System and Organization Controls (SOC) assessment is a CPA-opined statement on IT security that is meant to be used to relay the security at an organization to selected third parties. It must be issued by a CPA firm, and it typically contains four sections that differ a bit depending on if the report is a SOC 1 or 2. The sections and main takeaways for each section are as follows:

  • Independent Service Auditor’s Report – The CPA’s opinion after assessing the in-scope system.
  • Assertion of Organization Management – Management of the organization’s assertion that the description of the system is correct, and controls were appropriate.
  • Description of the In-Scope System – A description of the system and related controls in-scope, and in a Type 1 report, a listing of controls and control assessment results.
  • (Type 1 only) Guidance Regarding Information Provided by the Service Auditor – A description of the CPA activities performed.
  • (Type 2 only) Selected Criteria, Applicable Criteria, Related Controls, and Tests of Controls – In a Type 2, this is where the listing of controls and control assessment results are located.

What is a SOC 1 Report?

AICPA in 2011 introduced the Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting, otherwise known as a SOC 1.

Per the AICPA, the SOC 1, prepared in accordance with AT-C section 320, is intended to aid businesses that use service organizations and the CPAs that audit the user entities’ financial statements (user auditors) in evaluating the effect of the controls at the business on the user entities’ financial statements.

The SOC 1 also assesses the business’ controls around selected Control Objectives, and how well the business completes those controls. The thoroughness at which those controls are tested depend on whether a Type 1 or Type 2 report has been selected. Check out our blog post here discussing the differences between the Type 1 and 2.

What is a SOC 2 Report?

For some, the outcome mentioned in a SOC 1 audit is not enough to meet the client’s needs. In that case a SOC 2 would suffice as it is generally more pointed than the SOC 1 standard thanks to the Criteria and Points of Focus included within the standard. Per the AICPA, the Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy, or SOC 2, is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to the Trust Services Principles of security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

The SOC 2 can also be modified to fit the needs of the company and its reporting needs by selecting the relevant Trust Services Principles. The Security Principle is the minimum requirement, so it must always be selected, however any of Availability, Processing Integrity, Confidentiality or Privacy can be selected based on the system to be covered. For a bit more detail on these Principles, see our explainer here. Similar to the SOC 1, a Type 1 or Type 2 should be selected; see here to determine which might be appropriate for your situation.

When Would I Need Each?

The simple answer is: did your customer specifically request one or the other? If there has been no customer request and you just want to have a report for marketing purposes, the question would be: does my product affect customer’s financial statements? If yes, we would recommend a SOC 1 and/or SOC 2 depending on the system determined to be in scope. If no, a SOC 2 would fit your needs best.

Would I Ever Need Both?

The short answer is “not unless a customer has specifically requested both” and even then, I might argue no as many times a SOC 2 provides the same information as a SOC 1 assessment plus some. In an age where businesses are increasingly dependent on service organizations for taking steps to protect their data, the competition among businesses is cutthroat so having both might provide a leg up.

Who can Receive These Reports?

Customers who have requested the report, as well as any potential customers who have signed a Non-Disclosure Agreement (NDA) should be able to receive and review any SOC 1 or SOC 2 reports. Keep in mind however that these reports can NOT be publicly shared such as via a website.

The Takeaway

Whether you should get SOC 1, SOC 2, or both, depends on your organization and any requests you may have received from current or potential customers. One of the crucial deciding factors when choosing between SOC 1 and SOC 2 is, if the controls of the organization affect the internal control of the client, over financial reporting. Please feel free to contact us here to find out which type of SOC is suitable for your organization.