What Are SOC 1 and SOC 2 Reports ?
Service organizations, like financial advisers and accounting firms, are required to meet compliance requirements. The two most common compliance frameworks are SOC 1 and SOC 2. But what exactly are they? More importantly, how does SOC I and SOC II work exactly?
Service Organization Control 1, or SOC 1, reports are for businesses that handle financial information for their clients, also known as service organizations. This report ensures that financial information is managed securely by the business itself.
In other words, SOC 1 reports assure customers that your business has the appropriate controls in place to protect their financial information. Furthermore, SOC 1 features Type 1 and Type 2 compliance reports.
This report is conducted by a third party SOC Audit service and usually applies to businesses that provide financial related services.
The SOC 1 report focuses on the service organization’s controls and key control objectives decided by the organization.
A SOC 1 report is part of the SSAE, the Statement on Standards for Attestation Engagements (SSAE) 18 AT-C Section 320. SOC 1 reports were established by the American Institute of Certified Public Accountants (AICPA).
The purpose of SOC is to evaluate service controls. However, a service organization is responsible for deciding key control objectives for the services they provide clients. Control objectives refer to business processes (controls concerning processing client information) and IT processes ( controls concerning the security of client information).
A service organization that needs a SOC 1 report can be companies that offer payroll services to clients. Typically, outsourced services provide their customer or client with a SOC 1 report as proof that they have reliable internal controls in place.
Type I Reports vs Type II Reports
Now that we’re clear on the difference between SOC 1 and SOC 2, we can go into the types. A type 1 exam evaluates the design of controls as of a particular date.
A type II exam also evaluates design of controls, however it also includes testing operation of controls over a period of time. The type II exam covers a minimum of six months.
Type I reports
Essentially, Type I reports allow auditors to perform risk assessments and let businesses know they can perform critical assessment procedures. The report describes an organization’s system and how it works to achieve goals clients and customers. These reports also test how controls achieve specific objectives on a chosen date.
A type 2 report demonstrates the effectiveness of those controls over a period of time. Moreover, type 2 reports are a review of an organization’s internal controls over a period of 6 to 12 months and includes an in-depth review of those controls.
When an organization undergoes the audit, they are continuously audited either annually or semi-annually. Additionally, a type 2 report analyses an organization’s environment to evaluate if the organization’s internal controls design and functionality are effective.
The difference a SOC 2 report have from SOC 1 are that the SOC 2 report addresses an organization’s controls pertaining to operations and compliance standards. The AICPA developed Trust Service Criteria, or TSC, which determines the standards for trustworthy controls.
Things like security, integrity, availability, privacy, and confidentiality are all aspects of TSC. However, the only TSC required in SOC 2 is security.
So, if a service organization chooses, they can take a SOC 2 report that focuses solely on security or all five TSCs depending on their specific requirements for audit.
- SOC 1 reports deal with internal controls pertinent to the audit of a service organization’s client’s financial statements.
- A SOC I audit allows service organizations to report and examine internal controls that pertain to its customer’s financial statements.
- SOC 2 reports deal with service organization’s controls pertinent to their operations and compliance. This is detailed by the AICPA’s Trust Service Criteria (TSC).
- A SOC II audit covers a combination of five distinct criteria: Security, availability, process integrity, confidentiality and privacy.