SOX 1 & 2 Financial Compliance Thumbnail

What is SOC 1 & SOC 2 Compliance?

What are SOC 1 and SOC 2 Reports ?

Service organizations, like financial and accounting firms, are required to meet compliance requirements. The two most common compliance frameworks are SOC 1 and SOC 2. But what exactly are they? More importantly, how does SOC I and SOC II work exactly?


Service Organization Control 1, or SOC 1, reports are for businesses that handle financial information for their clients, also known as service organizations. This report ensures that financial information is managed securely by the business itself.

In other words, SOC 1 reports assure customers that your business has the appropriate controls in place to protect their financial information. Furthermore, SOC 1 features Type 1 and Type 2 compliance reports.

This report is conducted by a third party SOC Audit service and usually applies to businesses that provide financial related services.

The SOC 1 report focuses on the service organization’s controls and key control objectives decided by the organization.

A SOC 1 report is part of the SSAE, the Statement on Standards for Attestation Engagements (SSAE) 18 AT-C Section 320. SOC 1 reports were established by the American Institute of Certified Public Accountants (AICPA).

The purpose of SOC is to evaluate service controls. However, a service organization is responsible for deciding key control objectives for the services they provide clients. Control objectives refer to business processes (controls concerning processing client information) and IT processes ( controls concerning the security of client information).

A service organization that needs a SOC 1 report can be companies that offer payroll services to clients.

Typically, Managed IT Services providers supply their customer or client with a SOC 1 report as proof that they have reliable internal controls in place.

Type I Reports vs Type II Reports

Now that we’re clear on the difference between SOC 1 and SOC 2, we can go into the types. A type 1 exam evaluates the design of controls as of a particular date.

A type II exam also evaluates design of controls, however it also includes testing operation of controls over a period of time. The type II exam covers a minimum of six months.

Type I reports

Essentially, Type I reports allow auditors to perform risk assessments and let businesses know they can perform critical assessment procedures. The report describes an organization’s system and how it works to achieve goals clients and customers. These reports also test how controls achieve specific objectives on a chosen date.

Type II

A type 2 report demonstrates the effectiveness of those controls over a period of time. Moreover, type 2 reports are a review of an organization’s internal controls over a period of 6 to 12 months and includes an in-depth review of those controls.

When an organization undergoes the audit, they are continuously audited either annually or semi-annually. Additionally, a type 2 report analyses an organization’s environment to evaluate if the organization’s internal controls design and functionality are effective.


The difference a SOC 2 report have from SOC 1 are that the SOC 2 report addresses an organization’s controls pertaining to operations and compliance standards. The AICPA developed Trust Service Criteria, or TSC, which determines the standards for trustworthy controls.

Things like security, integrity, availability, privacy, and confidentiality are all aspects of TSC. However, the only TSC required in SOC 2 is security.

So, if a service organization chooses, they can take a SOC 2 report that focuses solely on security or all five TSCs depending on their specific requirements for audit.

Managed IT services providers like Nerds Support can achieve a SOC 2 certification in order to properly care for and handle sensitive client data.

SOC 1 & 2 AICPA Regulations values security, privacy, confidentiality, processing integrity, and availability.

In Summary

  • SOC 1 reports deal with internal controls pertinent to the audit of a service organization’s client’s financial statements.
  • A SOC I audit allows service organizations to report and examine internal controls that pertain to its customer’s financial statements.
  • SOC 2 reports deal with  service organization’s controls pertinent to their operations and compliance. This is detailed by the AICPA’s Trust Service Criteria (TSC).
  • A SOC II audit covers a combination of five distinct criteria:  Security, availability, process integrity, confidentiality and privacy.

If you have any questions about how your business can effectively maintain data compliance, give us a call at (305) 551-2009 or email us at [email protected].

You can also get a hassle-free SOC 2 Certification using compliance automation software like Sprinto.

And for more content & news regarding Compliance, cyber security, Cloud technology and more, visit our blog!

SOX 1 & 2 Financial Compliance Leaderboard

Stethoscope and pen above HIPAA compliance paperwork

HIPAA Compliance: Not Just for Doctors

Contrary to popular belief, doctors and hospitals aren’t the only ones bound by HIPAA law. HIPAA was created in 1996 to ensure an individual’s health record was theirs to share and theirs alone. Thereby, HIPAA law extends to any organization involved with an individual’s medical records, including:

● Health Insurance Providers
● Doctors
● Clinics
● Hospitals
● Nursing Homes
● Mental Health Specialists
● Pharmacies
● Dentists, Orthodontists, and Oral Surgeons
● Any Business or Entity Sharing Medical Records with These Organization


As such, HIPAA law enforces the obligation of these organizations to steadfastly protect the privacy, security, and accuracy of all medical records entrusted to them. Nerds Support is vastly familiar with all aspects of HIPAA law, including the following aspects: The HIPAA Privacy Rule – sets limits on the handling and disclosure of any and all medical records without prior knowledge, understanding of, and approval from the patient. This rule also allows individuals to have access to their medical records to ensure complete awareness and accuracy of their contents. HIPAA Compliance for Business Associates – extends HIPAA law to cover not only the original definition of an “HIPAA-Covered Entity,” but also to any and all business associates with whom they share medical records. This newer aspect of HIPAA law ensures coverage over every organization who keeps medical records for any reason. HIPAA Security Rule – governs practices for how medical records may and may not be saved and shared. 

One of the largest undertakings in the medical industry as a result of this rule is the current universal conversion of all patient medical records from the original paper method to electronic data. 

As a result, organizations operating under HIPAA law must take austere measures to ensure strict HIPAA compliance with all medical data, leaving no stone unturned to minimize risk between data transfers and storage. HIPAA Omnibus Final Rule – the newest rule under HIPAA compliance law. According to Hitech Answers, the modifications within this rule are intended to: 

● Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements. Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization. 
Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full. 
● Require modifications to, and redistribution of, a covered entity’s notice of privacy practices. 
● Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others. 
● Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.

Is your organization adequately prepared to stay within HIPAA compliance law?

Don’t be just a number with Nerds Support! With our IT Support Miami team you get personalized 1-1 support in 12 minutes or less.

Nerds Support Contact Us Leaderboard