System and Organization Controls for Service Organizations (SOC) reports focus on system-level service organization controls. SOC 1 reports differ significantly from SOC 2 reports. In fact, SOC 2 has much more in common with SOC 3, whose reports are essentially simplified versions of SOC 2 reports.
Don’t be fooled by the similar acronyms: SOC 1 and SOC 2 compliance are as different from each other as night and day.
In fact, they only have a few things in common:
- Both are based on Statement on Standards for Attestation Engagements 18 (SSAE-18, formerly SSAE-16), a set of auditing standards developed by the American Institute of Certified Public Accountants (AICPA).
- Both concern service organizations.
- Both can generate Type 1 and Type 2 reports.
Which type of SOC reporting you need depends on the nature of your organization and its needs. Often, companies will want both.
What is SOC 1?
The AICPA refers to SOC 1 reports as “Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR).”
A SOC 1 report, conducted by a CPA firm, will discuss a service organization’s controls that affect the enterprise’s financial statements. Are the controls well designed? Do they work, helping the organization to meet its financial goals?
These reports focus on entity-level controls, including data protection, over the service provider‘s financial-statement assertions, to ensure it meets regulatory requirements over financial reporting.
Publicly held companies must engage in SOC 1 reporting to meet Securities and Exchange Commission (SEC) requirements, and fulfill the Sarbanes-Oxley Act of 2002 (SOX) requirements.
Entities can engage in two types of SOC 1 reports.
Type 1 reports review management’s description of the service organization’s system to determine the suitability of its control designs and provide assurance that it achieves the SSAE-18 objectives. These reports cover only the state of the controls at a point in time.
Type 2 reports incorporate the same information as Type 1 reports, plus the controls’ operating effectiveness and whether they meet objectives. These reports cover a period of time, typically one year.
What is SOC 2?
SOC 2 reports are called “Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy” (the five “trust services criteria” or “trust services principles“).
These reports focus on cybersecurity controls, providing assurance over organizational oversight, vendor management, internal corporate governance and risk management, and regulatory oversight. Service organizations such as software-as-a-service providers (SAAS), data center providers, and cloud computing hosts, may provide these reports to senior management, boards of directors, customers, regulators, business partners, and suppliers.
SOC 2 reports also come in two different types.
- Type 1 reports focus on management’s description of the services organization’s system and suitability of the design controls at a point in time.
- Type 2 reports use that same information and also incorporate the controls’ operating effectiveness, over a period of time.
The AICPA has released additional SOC 2 reports that address other subjects and criteria.
In collaboration with the Cloud Security Alliance (CSA), the AICPA established an assessment of cloud providers known as the CSA Security Trust and Assurance Registry (STAR) Attestation. The “SOC 2 Report with the Criteria in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)” guides auditors reporting on the design and operating effectiveness of internal controls aligned to traditional SOC 2 reports while also incorporating the criteria of the CSA CCM.
A second additional subject-matter report focuses on controls specific to organizations that must comply with the Health Insurance Portability and Accountability Act (HIPAA). The AICPA collaborated with HITRUST to incorporate the HITRUST Common Security Framework (CSF) and map those criteria to the TSC.
SOC 2 compliance does not guarantee that you will comply with the International Organization for Standardization’s ISO 27001 standard. ISO 27001 also focuses on security controls but is more rigorous than SOC 2.