Incident ResponseJan Kahmen5 min read

What is the Difference Between SOC 1 and SOC 2 ?

SOC1 and SOC2 are both standards of auditing for systems and organizations. SOC1 describes the audit performed to assess the performance of internal controls that affect an organization's financial reporting.

Table of content

What is the Difference Between SOC 1 and SOC 2 ?

SOC 1

SOC 1 (Service Organization Control 1) is a report that focuses on the effective implementation of an organization's internal controls that affect financial reporting. The report is typically prepared by an external auditor and usually includes an audit that focuses on all or part of the organization's process.

  • SOC 1 refers to internal control over financial statements and reports.
  • For Organizations that provides a service that may impact a client's financial reports. E.g., companies that process payment transactions.

SOC 2

SOC 2 (Service Organization Control 2) is a report that focuses on an organization's effective implementation of internal controls that address data security, availability, confidence, integrity, and compliance with rules and policies. The report is typically prepared by an external auditor and usually includes an audit that focuses on all or part of the organization's process.

  • SOC 2 relates to internal controls for security, confidentiality, processing integrity, privacy, and availability of customer data.
  • For Organizations that store, process, or transmit customer data of any type. E.g. SaaS companies, data hosting or processing providers, or cloud storage services.

Difference SOC1 and SOC2

In scenarios where your organization has had formal systems in place for some time, a Type I report might be the way to go. This type of report can provide assurance that systems have been properly updated and maintained.

A Type I report may be the ideal choice for your organization's needs in certain cases. For example, if you are new to formal systems, this type of report can be an effective way to demonstrate compliance without having to wait months for a Type II report. If you are on a tight schedule and need a more thorough Type II report, a report that covers a three-month audit period might be the optimal solution. If your organization has been using formal systems for some time, a Type I report can provide assurance that the systems have been properly updated and maintained.

What is the SOC 2 Common Criteria List?

Organizations can choose which SOC 2 Trust Services criteria to include in the scope of their audit; however, each SOC 2 report must include the security criteria. These criteria are reviewed against the Common Criteria.

  • CC1 - Control Environment
    Does the organization value integrity and security?
  • CC2 - Communication and Information.
    Are policies and procedures in place to ensure security? Are they well communicated to both internal and external partners?
  • CC3 - Risk Assessment
    Does the organization analyze risks and monitor how changes affect those risks?
  • CC4 - Monitoring of controls.
    Does the organization monitor, evaluate and communicate the effectiveness of its controls?
  • CC5 - Control Activities.
    Are the right controls, processes, and technologies in place to mitigate risks?
  • CC6 - Logical and physical access controls.
    Does the organization encrypt data? Are controls in place over who can access data, and is physical access to servers restricted?
  • CC7 - System Operations.
    Are systems monitored to ensure they are functioning properly? Are there incident response and disaster recovery plans in place?
  • CC8 - Change Management.
    Are significant changes to systems properly tested and pre-approved?
  • CC9 - Risk Mitigation.
    Does the organization mitigate risk through appropriate business processes and vendor management?

What are the Five AICPA Trust Services Criteria?

The AICPA Trust Services Criteria define five criteria for evaluating an organization's security controls for SOC 2 compliance: security, availability, processing integrity, confidentiality, and privacy.

  1. audit - an auditor must perform its audit with reasonable professional care.
  2. reporting - an auditor must prepare a report on its audit findings.
  3. independence - the auditor must demonstrate that he has not been influenced by financial or other interests.
  4. reliability - the auditor must comply with the principles of good fiduciary practice.
  5. competence - the auditor must ensure that he has the skills and knowledge to bring the audit to a satisfactory conclusion.

Conclusion

SOC 1 refers to internal controls for financial reporting and SOC 2 refers to internal controls for data security, availability, confidence, integrity, and compliance with rules and policies. The AICPA Trust Services Criteria define five criteria for evaluating an organization's security controls for SOC 2 compliance: security, availability, processing integrity, confidentiality, and privacy. In order to meet the five criteria, an auditor must perform a formal audit with due diligence by a reasonable expert

Contact

Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment:

Arrange appointment