Combining SOC 1 and SOC 2 Audits

by Sarah Harvey / February 3rd, 2020

We get a lot of questions about SOC 1 and SOC 2 audits. What’s the difference between the two? Should your company do both? Are you able to consolidate multiple audits into one project? KirkpatrickPrice has developed the Online Audit Manager to make it easier to combine multiple audits into one project. Let’s talk through why and how you would take on the project of a combined SOC 1 and SOC 2 audit.

What are SOC 1 and SOC 2 Audits?

Before we discuss how to go through a combined SOC 1 and SOC 2 audit, let’s review what each of these types of audits are. What does a SOC 1 audit assess? A SOC 1 audit is an assessment of the internal controls at a service organization which have been implemented to protect client data. SOC 1 audits are performed in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) standard and report on the effectiveness of internal controls at a service organization that may be relevant to their client’s internal control over financial reporting (ICFR).

A SOC 2 audit is a second type of SOC assessment of the internal controls at a service organization that protect client data. The SOC 2 audit was designed to determine if service organizations are compliant with the principles of security, availability, processing integrity, confidentiality, and privacy (also known as the Trust Services Criteria) – which are typically unrelated to ICFR. The Trust Services Criteria are the foundation of the SOC 2 audit, just as the SSAE 18 is the basis of a SOC 1 audit.

Why a Combined SOC 1 and SOC 2 Audit?

Why would a company pursue a combined SOC 1 and SOC 2 audit? The obvious reason is that you may have clients that are specifically asking for SOC 1 and SOC 2 reports from you. They want to know whether you are handling their data in a secure way. You could also have some asking for one audit or the other. In some circumstances, your clients may not even know which one you need, but they want you to prove your security practices are legitimate – so it’s up to you to determine whether you’ll undergo a SOC 1, SOC 2, or a combined SOC 1 and SOC 2 audit. Whenever your clients (especially key accounts) or stakeholders have specific compliance requirements, it’s always a wise decision to do your due diligence and know what your options are for meeting their requirements and industry standards. To effectively ensure that your controls meet the demands of the variety of clients and stakeholders that you serve, you should know that a combined SOC 1 and SOC 2 audit is an option.

Here’s what some of our clients have to say about their combined SOC 1 and SOC 2 audit with KirkpatrickPrice:

“Trust and transparency is a core Rhumbix value. As a leading provider of construction technology, it is important for us to provide SOC 1 and SOC 2 reporting for our customers and ensure we continue to build and architecture future Rhumbix products with the highest standards. ” – VP of Development at Rhumbix
“The successful completion of our SOC 1 and SOC 2 Type II examination audits provides our clients with the assurance that the controls and safeguards we employ to protect and secure their data are in line with industry standards and best practices.” – Information Security Officer at Inovatec
“CBOSS is committed to delivering robust, secure solutions for payment processing to all our customers. To that end, we strive to make security and reliability integral to every aspect of our operations. We appreciate the KirkpatrickPrice’s thoroughness and we are proud to have met or exceeded all the requirements they validated.” – Security and Compliance Manager for CBOSS
“Upholding security regulations is critical as a service provider. Completing the SOC 1 Type II and SOC 2 Type II audits provides validation to OneCloud customers that we’re committed to keeping our platform secure. OneCloud will annually renew our SOC certification by maintaining the necessary controls and processes.” – Chief Executive Officer of OneCloud

Using the Online Audit Manager

Our goal is to make SOC 1 and SOC 2 reports more accessible to organizations who are being asked for them, so in order to complete a combined SOC 1 and SOC 2 audit, we utilize the Online Audit Manager. The Online Audit Manager is an online audit delivery tool that maps the requirements of each framework to one another so that you can capitalize on your resources instead of answering the same question over and over again on separate audits – all with the goal of saving your organization’s time, effort, and money. Completing a combined SOC 1 and SOC 2 audit with KirkpatrickPrice will be a more efficient, accessible process for your organization. Interested in more specifics on how this works? Let’s set up a demo of the Online Audit Manager.