SOC 1 & SOC 2

What is SOC 1?

These reports covers internal controls over financial reporting. These reports are restricted use reports intended only for existing customers or the general public.

What is SOC 2?

These reports covers internal controls, policies, and procedures directly related to AICPA’s trust service principles – Security, Availability, Privacy, Confidentiality and Integrity of the customer information handled by service organization. SOC 2 repots are unique to each organization. It is shared under NDA by management, regulators and external auditors.


Similar to SOC 1, the SOC 2 offers a Type 1 and Type 2 report. The Type 1 report is a point-in-time snapshot of your organization’s controls, validated by tests to determine if the controls are designed appropriately. The Type 2 report looks at the effectiveness of those same controls over a more extended period - usually 12 months.

When to Get SOC 2 Certification

Your organization should pursue SOC 1 if your services impact your clients’ financial reporting. For example, if your organization creates software that processes your clients’ billing and collections data, you are affecting your client’s financial reporting, and thus a SOC 1 is appropriate. Another reason organizations pursue SOC 1 vs SOC 2 is if their clients ask for a “right to audit.” Without SOC 1, this could be a costly and time-intensive process for both parties, especially if several of your clients ask to submit a similar request. You may also need to comply with SOC 1 as part of a compliance requirement. If your company is publicly traded, for example, you will need to pursue SOC 1 as part of the Sarbanes-Oxley Act (SOX).

SOC 2, on the other hand, is not required by any compliance framework, such as HIPAA or PCI-DSS. But if your organization doesn’t process financial data but processes or hosts other types of data, SOC 2 makes sense. With today’s business climate being extraordinarily aware and sensitive to data breaches, your clients may want proof that you are taking reasonable precautions to protect their data and stop any leaks. We built an open source template for SOC 2 teams.

The choice to pursue SOC 1 vs SOC 2 depends on your organization’s situation. One critical determining factor when choosing between SOC 1 or 2 is whether your organization’s controls would affect your client’s internal control over financial reporting. You may want to engage with an audit firm to determine which SOC type (or both) is the right fit for your organization.

In certain circumstances, it may be appropriate for companies to obtain both a SOC 1 and a SOC 2 report. Typically, this occurs when a company has multiple service offerings – one service may involve processing financial information on behalf of clients (payment processor) and another service may be more focused on the storage or transmission of sensitive client data (cloud-based data storage). In this case, getting both reports from the same CPA firm can go far to lessen the financial burden on you while ensuring you have advice from a trusted provider who knows your organization.