Votes: 0Posted On: May 25, 2017 08:14:37
The Service Organization Control (SOC) framework was introduced as a new reporting platform by the American Institute of Certified Public Accountants (AICPA) and replaced the SAS 70 reporting framework. The Soc reports are reports by independent auditors on an organization's independent controls.
Imagine you are a service based company providing service to your customers. Those services might have an impact on the customers. The SOC reports are a way to make sure that the controls surrounding your services that might affect the customer are implemented properly.
Nowadays, the service organizations are evaluated in the market by their possession of SOC reports. Hence, it has become pivotal for every organization whether service based or user based to undergo SOC audit and possess a SOC report.
The SOC 1 and SOC 2 reports are two types of reports focused on different controls of an organization. A common question is generally raised by the organizations on which report is suitable for them. It usually depends on the services you are providing to the customers/users. Sometimes you might need to go through both SOC 1 and SOC 2 audits. Here are some comparisons between the SOC 1 and SOC 2 reports that will help you choose better between the two.
SOC 1 or SSAE 16 Reports
The SOC 1 reports are also called as SSAE 16 (Statement on Standards for Attestation Engagements) reports. These reports focus on the examination of controls pertaining to the financial reporting process. Organizations that undergo SOC 1 examination and issue SOC 1 reports are those that manage a process that impacts their users/customers financial statements. Some of the examples that come to mind are Payroll process, billing, revenue processes etc. A SOC1 report is of two types.
1. SOC 1 – Type I audit report focuses on a description of a service organization’s control and the suitability of how those controls are designed to achieve the control objectives as of a specified dates.
2. SOC 1 –Type II audit report contains the same opinions as a Type I, but it adds an opinion on the operating effectiveness to achieve related control objectives throughout a specified period.
SOC 2 Reports
The SOC 2 reports focus on the operation and compliance part of an organization. The organizations focusing on certain areas issue SOC 2 reports. These areas are discussed below.
1. The security of the processes of service organization.
2. The availability of a service organization's system.
3. The service organization system processing integrity
4. The confidentiality of the information that the service organization's system processes or maintains for user entities.
5. The privacy of the user/customer's personal data.
The organizations that come under the SOC 2 reports are the ones that are responsible for managing highly sensitive data, manage transactions or classified information among others. Some of the organizations are data centers, colocation facilities, cloud service providers and software service providers.
These were some of the basic comparisons between SOC 1 and SOC 2 reports that will help you evaluate which report is appropriate for your services.