SOC 1 vs SOC 2
System and Organization Controls (SOC) reports focus on system-level controls for service organizations or entity level controls for other organization. SOC 1 reports differ from SOC 2 reports in their use by the organization and their levels of detail.
More formally, the American Association of Certified Public Accounts (AICPA) refers to SOC 1 reports as “Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR).” These reports focus on entity level controls, including data protection, over the corporation’s financial statement assertions for the purposes of meeting regulatory requirements over financial reporting. Publicly held companies must engage in SOC 1 reporting to meet Security and Exchange Commission (SEC) and fulfill Sarbanes-Oxley Act of 2002 (SOX) requirements.
Entities can engage in two types of SOC 1 reports. Type 1 reports review management’s description of the service organization’s system to determine the suitability of the control designs and provide assurance over whether they achieve the objectives. These reports are limited in that they focus on the description as of a specified date.
Type 2 reports incorporate the same information as Type 1 reports while also detailing the operating effectiveness of the controls in terms of the objectives. Moreover, they review and provide assurances over a specified period. Type 2 reports, therefore, provide more information over how well controls work as well as give insight into how well a service organization maintains their control effectiveness.
Officially, SOC 2 reports are called “Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.” The reports provide assurance over organizationals oversight, vendor management, internal corporate governance and risk management, and regulatory oversight, more formally known as Trust Services Criteria (TSC). t. Service organizations provide these reports to stakeholders including but not limited to senior management, Boards of Directors, customers, regulators, business partners, and suppliers.
SOC 2 reports also come in two different types. Type 1 reports focus on management’s description of the services organization’s system and suitability of the design controls. Type 2 reports use that same information and also incorporate the controls’ operating effectiveness.
The AICPA also released additional SOC 2 reports that address additional subject matters and criteria. In collaboration with the Cloud Security Alliance (CSA), the AICPA established an assessment of cloud providers known as the CSA Security Trust and Assurance Registry (STAR) Attestation. The “SOC 2 Report with the Criteria in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)” guides auditors reporting on the design and operating effectiveness of internal controls aligned to traditional SOC 2 reports while also incorporating the criteria of the CSA CCM.
A second additional subject matter report focuses on controls specific to organizations who must comply with the Health Insurance Portability and Accountability Act (HIPAA). The AICPA collaborated with HITRUST to incorporate the HITRUST Common Security Framework (CSF) and map those criteria the the TSC.