SOC 1 Vs. SOC 2 –
Which SOC Report Do I Need?

As a service organization, you are familiar with audit requests from clients who are required to meet specific compliance and audit requirements. You have most likely been asked whether your organization is SOC 1 Compliant or SOC 2 Compliant. What are the differences between a SOC 1 and SOC 2? Which SOC report should I get? Do I need both? These are questions we, as auditors, are frequently asked. Let’s take a look at the differences between the two, and why you could be asked for either, or both, as you continue to grow your business.

SOC 1 Vs. SOC 2 with Joseph Kirkpatrick

Do I need a SOC 1?

A Service Organization Control 1, or SOC 1 engagement, is an audit of the internal controls at a service organization which have been implemented to protect client data. SOC 1 engagements are performed in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16). A SOC 1 assessment is comprised of control objectives, which are used to accurately represent internal control over financial reporting (ICFR). In other words, if you are hosting financial information that could affect your client’s financial reporting, then a SOC 1 audit report makes the most sense for your organization to pursue, and will likely be requested of you.

Do I need a SOC 2?

If you are hosting or processing other types of information for your clients that does not impact their financial reporting, then you may be asked for a SOC 2 audit report. In this instance, your clients are likely concerned whether you are handling their data in a secure way, and if it is available to them in the way you have contracted it to be. A SOC 2 report, similar to a SOC 1 report, evaluates internal controls, policies, and procedures. However, the difference is that a SOC 2 reports on controls that directly relate to the security, availability, processing integrity, confidentiality, and privacy at a service organization. These criteria are known as the Trust Services Principles, and are the foundation of any SOC 2 audit engagement.

Do I need a SOC 1 and a SOC 2 report?

If you have clients that fall under both categories, then there is a chance you may be asked for both. In some circumstances, you may determine that you need a SOC 1 and a SOC 2 report in order to effectively ensure that your controls meet the demands of a variety of clients and stakeholders. Fortunately, KirkpatrickPrice utilizes a unique Online Audit Manager that allows you to combine a SOC 1 and SOC 2 into one audit process resulting in two deliverables.

So which report makes the most sense for your organization? Should you pursue a SOC 1 or a SOC 2? Do you need both? Determining what your business objectives are is a vital first step in deciding which SOC audit you should pursue. KirkpatrickPrice can provide free consulting services to help you determine which SOC report makes the most sense for your organization and assist in determining the scope of your engagement. Think you may need multiple reports? We can help with that too. KirkpatrickPrice’s Online Audit Manager was designed to help take the stress away from meeting multiple audit demands by streamlining them into one efficient audit process. Contact us today using the form below to learn more about how we can help.

Selecting SOC 2 Principles

Once you’ve determined you are ready to pursue a SOC 2 audit report, the first thing you have to decide is which of the five Trust Services Principles (recently updated to Trust Services Criteria) you want to include in your SOC 2 audit report. SOC 2 reports can address one or more of the following principles: Security, Confidentiality, Availability, Processing Integrity, or Privacy. Becoming familiar with these principles should be the first step in determining the scope of your SOC 2 audit and deciding which of these principles apply to the services your organization provides.

Selecting SOC 2 Principles with Joseph Kirkpatrick

The Trust Services Principles

Trust Service Principle 1 - Security

Security

In a non-privacy SOC 2 engagement, the Security principle must be included. Security is the common criteria that applies to all engagements, and is what the other Trust Services Principles are based off of. The Security principles addresses whether the system is protected (both physically and logically) against unauthorized access.

 

Trust Service Principle 3 - ConfidentialityConfidentiality

If the services your organization offers deal with sensitive data, such as Personally Identifiable Information (PII) or Protected Health Information (PHI), the Confidentiality principle should be present in your SOC 2 audit report. The Confidentiality principle addresses the agreements that you have with clients in regards to how you use their information, who has access to it, and how you protect it. Are you following your contractual obligations by properly protecting client information?

Trust Service Principle 2 - AvailabilityAvailability

Are you ensuring that the system you provide your clients is available for operation and used as agreed? Availability addresses whether the services you provide are operating with the type of availability that your clients would expect. The Availability principle typically applies to companies providing colocation, data center, or hosting services to their clients.

 

Trust Service Principle 4 - Processing Integrity

Processing Integrity

If the services you provide are financial services or e-commerce services and are concerned with transactional integrity, Processing Integrity is a principle that should be included in your SOC 2 report. Are the services you provide to your clients provided in a complete, accurate, authorized, and timely manner? Are you ensuring that these things are happening?

 

Trust Service Principle 5 - Privacy

Privacy

Lastly, we have the Privacy principle. The Privacy principle really stands on its own, as it specifically addresses how you collect and use consumers’ personal information. It ensures that your organization is handling client data in accordance with any commitments in the entity’s privacy notice as committed or agreed, and with criteria defined in generally accepted privacy principles issued by the AICPA.

 

So, you aren’t necessarily required to address all five of the Trust Services Principles in your SOC 2 audit report, however, you should select the principles that are relevant to the services you are providing to your customers. If you’re ready to begin your SOC 2 audit report and need some help determining which of the Trust Services Principles you should include, contact us today.

 

Video Transcription

One of the first things that you have to do in order to prepare for a SOC 2 audit engagement is select which principles from the trust services principles will be included in your SOC 2 audit report. The principles again are: Security, Availability, Confidentiality, Processing Integrity and Privacy.

Security must be included in any non-privacy principle SOC 2 audit engagement. We refer to the security principle as the common criteria that applies to any SOC 2 engagement and applies across the board to all the principles involved except for privacy.

So you must include that one, but from there you will look at confidentiality. Do you have agreements with your clients about how you will use the information, who has access to it and how you will protect that, and are you abiding by those contracts that you’ve entered in to?

Processing integrity has to do with providing your services in a complete manner, in an accurate manner, in a timely manner and are you doing those things?

Availability has to do with, is your system available to your clients as agreed? The services that you provide – are you maintaining the type of availability that your clients would expect for your services to be available to them?

Then finally, Privacy really kind of stands on its own. It’s a very unique principle, it’s very different from the other four. And we usually issue that as its own type of report because it addresses how you collect and use personal information of consumers, and do they have rights to opt out of how their information is used. Do they have the ability to file a complaint and get a response from you on how information is being utilized?

So think about those five principles and what would be included in your SOC 2 audit engagement.

Why am I Being Asked about SOC 2 Compliance?

If you’re being asked about SOC 2 compliance for the first time, you may be wondering why. It’s becoming increasingly common for organizations to request that their vendors become SOC 2 compliant so they can ensure that the companies they are working with are appropriately protecting their sensitive information.

Perhaps you’re a vendor of a larger organization who is being audited by a publicly traded company, or maybe you want to demonstrate that security is a critical part of your organization. These clients will require you to demonstrate SOC 2 compliance to address any information security risk concerns. The SOC 2 report addresses principles (known as the Trust Services Principles) such as security, availability, processing integrity, confidentiality, and privacy.

Demonstrating that you’re SOC 2 compliant means demonstrating that the policies, procedures, and controls you have in place properly address the Trust Services Principles you have selected for your SOC 2 audit report. These principles are addressed by answering the following questions:

  • Security – Is the system protected against unauthorized access?
  • Availability – Is the system available for operation and use as agreed?
  • Processing Integrity – Is the system processing complete, valid, accurate, timely, and authorized?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the entity’s privacy notice?

If you’re being asked to demonstrate SOC 2 compliance, or if you’re simply wanting to get ahead in your industry, engaging a third-party auditing firm to perform a SOC 2 audit is the right next step. SOC 2 compliance shows that you have matured the practices at your organization and are committed to gaining client trust. Are you confident your internal controls are protecting systems that process sensitive information? Are you ready to decide whether a SOC 2 report is what your organization needs? Contact us today using the form below and speak with a SOC 2 expert and find out how you can begin your SOC 2 audit.

Video Transcription

If you have been asked for a SOC 2 Audit Report, this might be the first time that you’ve had that request and you might be wondering what a SOC 2 Audit Report is. It seems to be very popular right now for organizations to ask their vendors about whether or not they are SOC 2 compliant. SOC 2 addresses principles such as, security, availability, confidentially and processing integrity.

And so as a vendor to a larger organization that’s perhaps being auditing by a publicly traded company, they may ask you for a SOC 2 Audit Report because it’s specifically designed for Service Organizations. And it’s addressing matters of information security that are so important today as people are concerned about their third parties and whether or not they’re handling their information in a secure and effective manner. So look into a SOC 2 Audit Report, determine if it’s right for you, and contact us today to see if we can help in any way.

The History of SOC 2 Reports

How did SOC 2 Reports Come to Be?

In order to understand the purpose of a Service Organization Control (SOC) 2 Report, it’s important to understand the background and history of how the SOC 2 came in to existence as a way for service organizations to manage the risks associated with outsourcing services.

The original standard was known as SAS 70 and was a way service organizations could demonstrate the effectiveness of internal controls at their organization. The SAS 70 audit was performed by a CPA and the result was a report on the effectiveness of internal control over financial reporting. Although not the intended purpose, organizations began using the SAS 70 report to prove that a vendor was secure and safe to work with. When the SSAE 16 or SOC 1 report replaced SAS 70, the SOC 2 was introduced as a report that addresses security.

The SOC 2 was welcomed with open arms and intended to give a wide range of organizations with a need for information security assurance services related to internal controls that affect the security, availability, processing integrity, confidentiality, and/or privacy of a system. The SOC 2 is based on these predefined criteria known as the Trust Services Principles. The AICPA has defined these principles to ensure the following:

  • Security – The system is protected against unauthorized access.
  • Availability – The system is available for operation and use as committed or agreed
  • Processing integrity – System processing is complete, valid, accurate, timely, and authorized.
  • Confidentiality – Information designated as confidential is protected as committed or agreed.
  • Privacy – Personal information is collected, used, retained, disclosed and destroyed in accordance with the privacy notice commitments.

Understanding the purpose behind the SOC 2 can help bring added benefits to your organization. A SOC 2 report can give you a competitive advantage by helping you to prioritize your risks in order to ensure that you’re delivering high quality services to your clients. KirkpatrickPrice encourages companies who are interested in demonstrating their commitment to privacy and security to consider engaging a third-party auditor to perform a SOC 2 audit.

The History of SOC 2 Reports

Video Transcription

Joseph Kirkpatrick on The History of SOC 2 Reports

In order to understand the SOC 2 audit report, I think it’s important to understand the background and the history of Service Organization Control Reports.

The original audit was referred to as a SAS 70 and it addressed internal controls which can definitely include security, but over the years’ people started treating the SAS 70 as a report in order to prove that a vendor was secure, when that was not the original intention of that service organization control report. And so when the SAS 70 was replaced with the SSAE 16 standard, the AICPA renamed that the SOC 1 and they introduced the SOC 2 audit report in 2009 by issuing the Trust Services Principles that address security, availability, confidentiality, process integrity and privacy.

So finally we had a standard, we had some principles to rest upon that allowed us to address security and that’s what the SOC 2 report is all about. You are able to choose which principles to include into that report and security is always the core principle that has to be included in a non-privacy principle SOC 2 audit report.

Sarah Morris

Sarah Morris

Managing Editor | GISF

Sarah Morris is the Managing Editor at KirkpatrickPrice. She is certified in General Information Security Fundamentals (GIAC GISF) and specializes in keeping organizations up to date on information security and regulatory compliance by being a thought leader and developing valuable content that revolves around industry trends and best practices.

Joseph Kirkpatrick

Joseph Kirkpatrick

Managing Partner | CISSP, CGEIT, CISA, CRISC, QSA

Joseph Kirkpatrick, Managing Partner at KirkpatrickPrice, holds the CISSP, CISA, CGEIT, and CRISC certifications as a certified specialist in data security, IT governance, and regulatory compliance. He has delivered auditing and security assessment services for more than 15 years.

AODocs’ SOC 2 Certification Journey with KirkpatrickPrice

AODocs is an enterprise document management solution that has grown rapidly over the past few years; our solution now solves business challenges for over 500 enterprise Google Apps customers, ranging from small startups to Fortune 500 companies. Recently, AODocs received their SOC 2 certification with the help of KirkpatrickPrice, and we are proud to be the only enterprise document management solution on Google Drive with a SOC 2 certification.

We grew nearly tenfold in the last two years and we were grateful for the guidance of KirkpatrickPrice who taught us best practices during that time. Working with the KirkpatrickPrice auditors not only helped us validate the robustness of our architecture, but also gave us a framework to set up processes that our organization needed in order to mature.

Why did we pursue SOC 2 Certification?

Security has always been paramount to us, even before undergoing the SOC 2 certification audit. We knew that it would be beneficial for our customers to have an independent verification of our security practices, both for their peace of mind and their own compliance strategy.

The Service Organization Control 2 (SOC 2) is an auditing standard that not only verifies controls and processes, but also includes a written attestation by a CPA regarding the design and operating effectiveness of the controls being reviewed. KirkpatrickPrice audited our internal policies and processes, and validated our compliance with the SOC 2 Trust Services Principles.  The audit included a full assessment of AODocs software, people, procedures, and infrastructure (AODocs runs on Google Cloud Platform, which is also SOC 2 certified).

The resulting SOC 2 report is one of the gold standards of security for cloud technologies. In fact, organizations faced with compliance requirements around sensitive data can leverage AODocs’ SOC 2 certification as part of their compliance strategy. AODocs helps many organizations comply with regulations and standards such as ISO 9001, ISO 14001, OHSMS, OHSAS, and others. Now, with our SOC 2 certification, customers have one more reason to trust AODocs with their business critical documents.

Getting a SOC 2 certification was a lengthy process, but completely worth it. Of course using AODocs makes going through audits much easier, which also contributed to making this a positive experience for us.

Why Should Customers Care that SaaS Companies Have a SOC 2 Certification?

Companies moving their documents to the cloud often have legitimate concerns about the security of their sensitive information. Certifications like SOC 2 provide them with an independent assurance that the platform they are choosing offers the level of confidentiality they require for their business, as mentioned here. We, at AODocs, have found this to be true.