SOC 1 & SOC 2
What is SOC 1
A SOC 1 (Service Organization Control 1) report gives your company’s user entities some assurance that their financial information is being handled safely and securely. The SOC 1 report was previously called the SAS 70 (Statement on Auditing Standards 70) and was eventually replaced by the Statement on Standards for Attestation Engagements no. 16 (SSAE 16). SOC 1 offers both Type 1 and Type 2 (also written as “Type ii”) reports. A Type 1 report demonstrates that your company’s internal financial controls are properly designed, while a Type 2 report further demonstrates that your controls operate effectively over a period.
What is SOC 2
SOC 2 is a framework to help service organizations demonstrate their cloud and data center security controls. After organizations started using the SAS 70 as a way to measure the effectiveness of an organization’s security controls, the SOC 2 was developed as a report focused only on security. The SOC 2 is rooted in criteria called the Trust Services Principles (renamed to Trust Services Criteria in 2018), which the AICPA (American Institute of CPAs) defines as:
Similar to SOC 1, the SOC 2 offers a Type 1 and Type 2 report. The Type 1 report is a point-in-time snapshot of your organization’s controls, validated by tests to determine if the controls are designed appropriately. The Type 2 report looks at the effectiveness of those same controls over a more extended period - usually 12 months.
When to Get SOC 2 Certification
Your organization should pursue SOC 1 if your services impact your clients’ financial reporting. For example, if your organization creates software that processes your clients’ billing and collections data, you are affecting your client’s financial reporting, and thus a SOC 1 is appropriate. Another reason organizations pursue SOC 1 vs SOC 2 is if their clients ask for a “right to audit.” Without SOC 1, this could be a costly and time-intensive process for both parties, especially if several of your clients ask to submit a similar request. You may also need to comply with SOC 1 as part of a compliance requirement. If your company is publicly traded, for example, you will need to pursue SOC 1 as part of the Sarbanes-Oxley Act (SOX).
SOC 2, on the other hand, is not required by any compliance framework, such as HIPAA or PCI-DSS. But if your organization doesn’t process financial data but processes or hosts other types of data, SOC 2 makes sense. With today’s business climate being extraordinarily aware and sensitive to data breaches, your clients may want proof that you are taking reasonable precautions to protect their data and stop any leaks. We built an open source template for SOC 2 teams.
The choice to pursue SOC 1 vs SOC 2 depends on your organization’s situation. One critical determining factor when choosing between SOC 1 or 2 is whether your organization’s controls would affect your client’s internal control over financial reporting. You may want to engage with an audit firm to determine which SOC type (or both) is the right fit for your organization.
In certain circumstances, it may be appropriate for companies to obtain both a SOC 1 and a SOC 2 report. Typically, this occurs when a company has multiple service offerings – one service may involve processing financial information on behalf of clients (payment processor) and another service may be more focused on the storage or transmission of sensitive client data (cloud-based data storage). In this case, getting both reports from the same CPA firm can go far to lessen the financial burden on you while ensuring you have advice from a trusted provider who knows your organization.