If your company provides services to other companies, those services may have an impact on your customers’ financial reporting. As a result, your customers’ auditors may need assurance that the controls surrounding your services are designed effectively, and in some cases, operating effectively. A way to provide that assurance is by undergoing a Service Organization Control (SOC) audit. SOC 1 and SOC 2 audit reports have distinct differences. In order to determine which one is right for your organization, you must know how they work:

SOC 1 report

Also known as the Statement on Standards for Attestation Engagements (SSAE) 18, the SOC 1 report focuses on a service organization’s controls that are likely to be relevant to an audit of a user entity’s (customer’s) financial statements. Control objectives are related to both business process and information technology. A SOC 1 – Type I audit report focuses on a description of a service organization’s control and the suitability of how those controls are designed to achieve the control objectives as of a specified dates. A SOC 1 –Type II audit report contains the same opinions as a Type I, but it adds an opinion on the operating effectiveness to achieve related control objectives throughout a specified period. Learn more about SOC 1 Type I and Type II reports here. SOC 1 audit reports are restricted to the management of the services organization, user entities and user auditors.

SOC 2 Report

The SOC 2 report addresses a service organization’s controls that relate to operations and compliance, as outlined by the AICPA’s Trust Services criteria in relation to availability, security, processing integrity, confidentiality and privacy. A service organization may choose a SOC 2 report that focuses on any one or all five Trust Service principles and may choose either a Type I or a Type II audit. A SOC 2 report includes a detailed description of the service auditor’s test of controls and results. The use of this report is generally restricted.

Why was the SOC 2 report created?

The SOC 2 report was created in part because of the rise of cloud computing and business outsourcing of functions to service organizations. These are called user entities in the SOC reports. Liability concerns have caused a demand in assurance of confidentiality and privacy of information processed by the system.

Why are the SOC 1 and SOC 2 reports important?

Recently, more and more services are being outsourced data centers. Service organizations have made these services a core component of their business model, providing these services more efficiently and cost effectively. It must be noted that the service organization retains the responsibility for the services it provides and for the confidentiality and secure protocols in protecting sensitive data. The SOC 1 and 2 reports help gain transparency of the specific controls implemented by a service organization, and the tests performed by the auditor. The success or failure of these controls has a direct or indirect impact on the reputation, financial statements and stability of the user organization.

Who receives and reviews these reports?

The user entity’s auditors are responsible for an organization’s internal controls, regulatory and IT compliance should obtain and review the SOC 1 or 2 report. Anyone in vendor compliance, internal audit, IT management and legal departments may all be parties that have an interest in understanding the control structure of the service organization.

Key components to consider when undergoing an SOC report:

• Does the report include testing operating effectiveness of controls for a specific period of time, or does it only cover a specific point in time?
• For SOC 1 reports, does the time period of the tests of controls provide appropriate coverage for the specific fiscal year?
• Does the system or report scope comprehensively outline the services that you outsource?
• Does the scope of the system include a subservice organization?
• Has the service organization utilized the carve-out or inclusive method?
• Review any testing exceptions to determine impact of your assessment of the service organization
• The service auditor’s professional reputation