SOC 1 vs SOC 2: What’s the difference?
By: Torpey White, Partner, and Artur Kuznetsov, Manager – Wipfli’s Risk Advisory Services
If your company specializes in offering outsourced technology services, you’re likely to be asked by customers for a due diligence package. This package — which is meant to give current or potential customers a strong level of assurance when it comes to the security and transparency of your internal operations — will typically include a recently performed SOC 1 or SOC 2 report.
Understanding the purpose of SOC 1 and SOC 2 reports and the difference between them can help you create a comprehensive due diligence package that gives customers the peace of mind they’re looking for.
SOC 1 vs SOC 2
| SOC 1 | SOC 2 | |
| Purpose | A SOC 1 audit helps a service organization examine and report on its internal controls relevant to its customers’ financial statements. | A SOC 2 audit examines and reports on a service organization’s internal controls relevant to the security, availability, processing integrity, confidentiality and/or privacy of customer data. |
| Control objectives | A SOC 1 audit’s control objectives cover controls around processing and securing customer information, spanning both business and IT processes. | A SOC 2 audit’s control objectives cover any combination of the five criteria. For example, some service organizations may cover security and availability, while others may be required to be examined over all five criteria due to the nature of their operations and regulatory requirements. |
| Example use | A company offering outsourced payroll services. Customers who ask to conduct an audit of payroll processing and data security controls can be given a SOC 1 report instead. | A data center offering its customers a secure data center for their critical infrastructure. Instead of having customers perform frequent on-site inspections, the data center can give them a SOC 2 report that describes and validates controls in place. |
| Readers and users | Readers and users of SOC 1 reports often include the customer’s management and external auditors. They are specifically intended for a user entity and the CPAs that audit its financial statements, helping them understand the effect of the service organization’s controls on the user entity’s financial statements. | Readers and users of SOC 2 reports often include the customer’s management, business partners, prospective customers, compliance regulators and external auditors. SOC 2 reports are often used for oversight of the service organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight. |
SOC 1
Undergoing a SOC 1 audit helps a service organization examine and report on its internal controls relevant to its customers’ financial statements.
A SOC 1 report falls under the Statement on Standards for Attestation Engagements (SSAE) 18 AT-C Section 320 (formerly known as SSAE 16 or AT 801) established by the American Institute of Certified Public Accountants (AICPA).
When preparing to undergo a SOC 1 audit, a service organization is responsible for determining key control objectives for the services provided to its customers. Control objectives relate to both business processes (e.g., controls around processing customers’ information) and information technology processes (e.g., controls around securing customers’ information).
An example of a service organization needing a SOC 1 report is a company offering outsourced payroll services. When approached by customers for rights to conduct an audit of their payroll processing and data security controls, the outsourced payroll provider may instead offer them a completed SOC 1 report as a testament to having strong internal controls in place that were examined by an independent CPA firm.
Readers and users of SOC 1 reports often include the customer’s management, compliance regulators, and external auditors.
SOC 2
A SOC 2 report also falls under the SSAE 18 standard, Sections AT-C 105 and AT-C 205. But the difference from SOC 1 is that the SOC 2 report addresses a service organization’s controls that are relevant to their operations and compliance, as outlined by the AICPA’s Trust Services Criteria.
Undergoing a SOC 2 audit helps a service organization examine and report on its internal controls relevant to the security, availability, processing integrity, confidentiality, and privacy over customer data.
When preparing to undergo a SOC 2 audit, a service organization is responsible for determining which Trust Services Criteria are relevant to the services offered to its customers. For example, some service organizations may have their SOC 2 audit conducted relevant to the Trust Services Criteria of security and availability, while others may find themselves required to be examined over all five Trust Services Criteria due to the nature of their operations and regulatory requirements.
An example of a service organization needing a SOC 2 report is a data center offering its customers a secure storage location for their critical infrastructure. Instead of having its customers perform frequent on-site inspections of its physical and environmental safeguards, the data center may instead provide them with a SOC 2 report that describes and validates controls in place around the security and availability of the customer’s critical infrastructure stored within the data center.
Readers and users of SOC 2 reports often include the customer’s management, business partners, prospective customers, compliance regulators, and external auditors.
SOC type 1 vs type 2
Once a service organization determines which SOC report fits its reporting needs, it has two options on how to move forward: type 1 and type 2. These options depend on how prepared the service organization is for the SOC audit and how quickly it needs to have the SOC audit performed.
A type 1 SOC audit may be a good option when a service organization: 1) has never been audited or 2) just went through a substantial revamp and enhancement of its internal controls, policies and procedures but was also asked by its customers or prospects to undergo a SOC audit as soon as possible.
A type 1 SOC audit evaluates and reports on the design of controls and procedures put in place as of a point of time. Undergoing a type 1 SOC audit allows a service organization to examine and report on its controls’ design as of a specific date that fits the requested party’s SOC audit timeliness requirements.
A type 2 SOC audit takes the process described above a step further and provides a service organization with an opportunity to report on its controls’ operating effectiveness over a period of time, in addition to the controls’ design.
Undergoing a type 2 SOC audit allows a service organization to examine how its controls operated over a six- to 12-month period, providing its customers or prospects with an additional level of visibility into its internal controls, policies, and procedures.
To achieve the most value and benefit out of a type 2 SOC audit, a service organization should strive to have its SOC audit cover a 12-month period, as well as have its SOC audit performed annually going forward to help establish transparent and continuous coverage and validation of the internal controls in place.
SOC 1 vs SOC 2: Are you ready?
For service organizations unfamiliar with SOC audit requirements, it can be a challenge to determine which SOC audit and of what type a customer truly needs. But service organizations benefit from being able to provide current and prospective customers with assurance that their data is in the right hands, being safeguarded properly — so if you have never undergone a SOC audit, now is the time.
As a CPA firm, Wipfli has extensive experience performing SOC audits for organizations and can help you pick the right exam option that fits your needs. Click here to learn more about our SOC auditor services. To reach out to Wipfli for questions or additional assistance, click here.
Sign up to receive additional content or information in your inbox, or keep reading on about SOC audits:
Do I need a SOC exam? And do I need more than one?
How to Choose the Timing of Your SOC Exam
Understanding SOC exam exceptions and management letter comments
