The standards and objectives for SOC 1 and SOC 2 Reports differ greatly. The difference in professional standards makes it impractical for an organization to use a SOC 1 Report in place of a SOC 2 Report, and vice versa. It’s important to know what the goals of your organization are before engaging with an auditor.
A SOC 1 Report evaluates your organization’s internal controls over financial reporting and transaction processing. In the U.S., SOC 1 reports use the Statement on Standards for Attestation Engagements, or SSAE 16 guidelines as the professional standard for the engagement. SOC 1 reports are generally intended for the management of the service organization, its user entities’ management and auditors of user entities.
A SOC 2 Report focuses on data security and is intended for your organization’s management team, regulators, business partners and suppliers. IT service organizations, data centers, and software as a service vendors are likely candidates for a SOC 2 Attestation Report. Section AT 101 on Attestation Engagements is the professional standard used for engagement for SOC 2 Reports. A SOC 2 report can be issued on a single Trust Service Principle or a combination of the following: Security, Availability, Processing Integrity, Confidentiality and Privacy.
Regardless of what SOC Report your organization selects, being prepared can make a huge difference in the audit process. Organizing your information and providing a clear explanation how your specific organization operates are good steps to take before engaging with your auditor.
Contact us to learn more about SOC 1 and/or SOC 2 Reporting.