SOC1 vs SOC2 Report
Let’s start by looking at the differences between SOC2 and SOC1 reports.
A SOC1 report falls under the Statement on Standards for Attestation Engagements (SSAE) 18 or ISAE3402. The SOC1 report focuses on a service organization’s controls that are relevant to an audit of a service organization’s client’s financial statements. The service organization will determine the key control objectives for the services provided to clients.
A SOC1 Type I report includes a description of controls (design) at a service organization’s as of a specific date. A SOC1 Type II report contains the same opinions on the design of controls, but it additionally includes an opinion on the operating effectiveness of controls over a period of time.
The SOC2 report addresses a service organization’s controls that are relevant to their operations and compliance, as outlined by the AICPA’s Trust Services Criteria (TSC).
The TSCs include
- security,
- availability,
- processing integrity,
- confidentiality,
- and privacy.
The security TSC is the only required TSC in the SOC2 report.
Controls meeting the TSCs included in the examination are identified and tested, versus in a SOC1 where controls supporting identified control objectives are tested. A service organization can choose a SOC2 report that focuses on just the security TSC or all five TSCs, or a combination or the five TSCs available.
The readers of SOC2 reports can be an organization’s financial executives, compliance officers, and financial statement auditors, but can also include an organization’s information technology executives, business partners, regulators, or other business partners.
A SOC1 report provides assurance in a very specific financial controls context to finance and audit professionals, who should have very narrow, well understood, expectations / requirements that are defined by auditing standards.
A SOC2 report is aimed at a much broader community (including information security and risk professionals) who may have a much less certain / specific range of requirements. So, a SOC2 report should try to provide as much information about your control environment as possible so it meets as many of these unknown requirements as possible and avoids questions once the report is issued. The Criteria are also more wide ranging than the typical SOC1 Control Objectives, so that inevitably sees more than the typical 15 controls being tested.
What is a SOC2 Report?
A SOC2 is a System and Organization Control 2 report. The AICPA (American Institute of CPAs) provides criteria that can be selected by a service organization to demonstrate they have controls in place to mitigate risks to the service they provide.
SOC 2 reports are considered attestation reports. For a SOC 2 attestation, management of a service organization asserts that certain controls are in place to meet some or all of the AICPA’s SOC 2 Trust Services Criteria (TSC).
When a service organization completes a SOC 2 report, the report contains an opinion from a CPA firm that states whether the CPA firm agrees with management’s assertion. The opinion states that the appropriate controls are in place to address the selected TSCs and the controls are designed (Type I report) or designed and operating effectively (Type II report).
The SOC 2 report structure consists of:
- The Opinion Letter
- Management’s Assertion
- Description of the System
- Description of Tests of Controls and Results of Testing
- Other Information
At a minimum, SOC 2 reports must include the Security or Common Criteria. The other TSCs can be added depending on the needs of user organizations.
The Trust Services Criteria are noted below:
- Security – The system is protected against unauthorized access (both physical and logical).
- Availability – The system is available for operation and use as committed or agreed.
- Processing Integrity – System processing is complete, accurate, and authorized.
- Confidentiality – Information that is designated “confidential” is protected according to policy or agreement.
- Privacy – Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA.
Licensed CPA (Certified Public Accountant) firms that specialize in information security audits are the only organizations that should perform SOC 2 examinations. On December 15, 2018, new SOC 2 guidance went into effect and all reports following that date must include the updated criteria. The most noticeable change from this SOC 2 reporting update is the name change, which revises “Trust Services Principles and Criteria” to “Trust Services Criteria.” SOC 2 reporting now has integration with the 2013 COSO framework. This framework is used to assess the design, implementation, and maintenance of internal controls and assess their effectiveness.
If you are considering SOC1 or SOC2 call us now (+44 (0)20 8798 9282) to discuss, how we can help.