SOC 1 vs. SOC 2: Which SOC Report Do I Need?

by Sarah Harvey / November 7th, 2016

SOC 1 vs. SOC 2 Reports: What’s the Difference?

As a service organization, you are familiar with audit requests from clients who are required to meet specific compliance and audit requirements, and you have most likely been asked whether your organization is SOC 1 compliant or SOC 2 compliant.

We often get asked:

What are the differences between a SOC 1 vs. SOC 2 audit?
Which SOC report should you get?
Do you need both audit reports?

Let’s take a look at the differences between a SOC 1 vs. SOC 2 audit, and why you could be asked for either, or both, as you continue to grow your business.

Do I Need a SOC 1 Audit?

A Systems and Organization Controls 1, or SOC 1 engagement, is an audit of the internal controls at a service organization which have been implemented to protect client data.

SOC 1 engagements are performed in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18). A SOC 1 assessment is comprised of control objectives, which are used to accurately represent internal controls over financial reporting (ICFR).

In other words, if you are hosting financial information that could affect your client’s financial reporting, then a SOC 1 audit report makes the most sense for your organization to pursue, and it will likely be requested of you.

Do I Need a SOC 2 Audit?

If you are hosting or processing other types of information for your clients that does not impact their financial reporting, then you may be asked for a SOC 2 audit report.

In this instance, your clients are likely concerned whether you are handling their data in a secure way, and if it is available to them in the way you have contracted it to be. A SOC 2 report, similar to a SOC 1 report, evaluates internal controls, policies, and procedures.

However, the difference is that a SOC 2 reports on controls that directly relate to the security, availability, processing integrity, confidentiality, and privacy at a service organization. These categories are known as the Trust Services Criteria and are the foundation of any SOC 2 audit engagement.

Do I Need a SOC 1 and a SOC 2 Report?

If you have clients that fall under both categories, then there is a chance you may be asked for both.

In some circumstances, you may determine that you need a SOC 1 and a SOC 2 report in order to effectively ensure that your controls meet the demands of a variety of clients and stakeholders. Fortunately, KirkpatrickPrice utilizes a unique Online Audit Manager that allows you to combine a SOC 1 and SOC 2 into one audit process resulting in two deliverables.

How Can KirkpatrickPrice Help?

Determining what your business objectives are is a vital first step in deciding which SOC audit you should pursue. KirkpatrickPrice can provide free consulting services to help you determine which SOC report makes the most sense for your organization and assist in determining the scope of your engagement.

Think you may need multiple reports?

We can help with that too. KirkpatrickPrice’s Online Audit Manager was designed to help take the stress away from meeting multiple audit demands by streamlining them into one efficient audit process.