What are SOC 1 and SOC 2?
SOC stands for Service Organization Controls. It’s a collection of reports regarding an organization’s system-level controls. These reports are governed by the American Institute of Certified Public Accountants (AICPA). While there are SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity reports, SOC 1 and SOC 2 tend to be the most commonly used by US companies.
A SOC 1 report or SOC 1 audit reviews documentation pertaining to an organization’s internal controls regarding financial reporting. A SOC 2 compliance report or SOC 2 audit pertains to internal controls around cybersecurity, cloud computing, information security, data security, and vendor risk management.
Overview of SOC 1 and SOC 2
SOC 1 report focuses on evaluating and testing a service organization’s internal control over financial reporting (ICFR). This includes retirement plans, payroll processing, employee benefits, loan services, and more. Having a SOC 1 report will demonstrate to your stakeholders and customers that your organization is committed to protecting sensitive financial information. Receiving a SOC 1 report can be a huge asset and competitive advantage to your firm.
On the other hand, in a SOC 2 audit report, the American Institute of CPAs uses specific criteria, referred to as, “Trust Services Criteria” to evaluate an organization’s internal systems controls. Which evaluate certain aspects of the organization as it relates to cybersecurity and risk management. The 5 criteria include:
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
In summary, a SOC Type 1 report covers controls in place at a specific point in time. A Type 2 report assesses controls over a defined period of time (minimum 3 months). A Type 1 or a Type 2 report can be conducted for either SOC 1 or SOC 2.
What are the requirements of SOC 1 and SOC 2?
With SOC 1, an audit may be required by the client or investor if your company provides a service that impacts the client’s internal controls over financial reporting (ICFR). This audit report must demonstrate that your organization has proper IT security controls in place, as well as operational controls (i.e. authorizations, reconciliations, etc) to support the objectives of your security controls
The requirements for SOC 2 are outlined in the Trust Services Criteria described below:
- Security: This section of the audit seeks to determine whether or not systems are sufficiently safeguarded from unauthorized access and whether or not there are security practices in place to alert administrators to a potential security incident.
- Availability: This section of the audit will focus on determining whether or not customers are able to access the system per your contractual specifications.
- Processing Integrity: This section is tailored for those organizations that process financial transactions. Thus documentation should validate the controls in place to safeguard those transactions.
- Confidentiality: This component of the audit will seek to validate any restrictions put on access to sensitive data, such as Protected Health Information (PHI) or Personally Identifiable Information (PII). Furthermore, documentation on how the data is stored and transmitted, as well as protocols that ensure adherence to privacy policies should be included.
- Privacy: While confidentiality concerns how data is accessed and shared, privacy focuses on how data is collected and used. The privacy policy in place should coincide with the company’s actual protocols from an operational perspective. At a minimum, these guidelines should be aligned with AICPA’s Generally Accepted Privacy Principles (GAPP).
Who do SOC 1 and SOC 2 affect?
SOC 1 and SOC 2 are completely voluntary and are not mandated. However, they have become ubiquitous with Service Organizations and are typically expected by the customers of these types of organizations.
SOC 1 reports affect service organizations that materially impact the financial reporting of their clients. Examples might be payroll processors or employee benefits providers.
SOC 2 reports affect service organizations that offer key services to an organization and are responsible for ensuring the privacy and safety of customer data. Examples include SaaS companies and any company that leverages cloud services to store company data.
How to be Compliant with SOC 1 and SOC 2
Prior to your SOC 1 and SOC 2 audit, it’s a good idea to spend some time reviewing the specific compliance requirements or Trust Service Principles you’re being reviewed on to ensure you’ve covered all your bases and have the appropriate documentation to support it.
Here are some best practices to keep in mind as you are preparing for an audit:
- Be sure you’re clear on the scope of your SOC 1 or SOC 2 audit.
- Catalog the relevant systems and data pertaining to the audit.
- Use a risk assessment to understand what additional controls may be needed to properly manage risk. This may include isolating sensitive data or implementing access controls to systems containing sensitive data.
- Ensure there is sufficient documentation verifying all of your information security policies.
- Perform an internal audit prior to your official audit to make sure you’ve done your due diligence. Failing to prepare for attestation could cause your organization to incur additional costs of repeating an unsuccessful audit.
- Consult with an experienced business partner with relevant information technology and security skills who can help you prepare, evaluate your controls, and verify that your organization is ready for the official audit.
Key takeaways
- A SOC 1 auditing reviews documentation pertaining to an organization’s internal controls regarding financial reporting.
- A SOC 2 auditing reviews internal controls around cybersecurity, data privacy, and vendor risk management.
- The type of SOC report a service provider obtains depends on their industry and requirements.
- To verify that a service organization meets these mandates they must submit themselves for an audit by a CPA firm.
- SOC 1 and SOC 2 empowers companies to feel confident that service providers meet certain regulatory and ethical requirements.