SOC 1 Type 2 Compliance Audit

Why is SOC 1 Type 2 Used?

One of the most critical reports for third-party (vendor) data security, and SOX compliance is the SOC 1 Type 2 Attestation (some call Audit).

The SOC 1 Type 2 attest report provides for compliance and assurance of financial data processing for the service provider's ICFR (Internal Controls over Financial Reporting) and may fulfill SOX compliance. SOC 1 Attestation is also known as SOC 1 Audit (by clients), SOC 1 Engagement, SOC 1 Examination, SOC 1 Certification (by clients), and SOC 1 Compliance.

SOC 1 compliance reports are part of AICPA's SSAE 18 Attest Standard used for SOC 1, SOC 2, and SOC 3 reports. Since 1992, these reports have been known as SAS 70 reports. In 2011 SOC 1 was brought under SSAE 16 Standard and SOC 2 under AT 101. Finally, in 2017, SSAE 16 and other SSAE standards were merged into one SSAE 18. This brought all SOC 1, SOC 2, and SOC 3 reports under SSAE 18. This is the main difference between SSAE 16 vs SSAE 18 pertaining to SOC 1 Type 2 compliance reports.

AT-C section 320 provides guidance on “Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting”.

What does SOC 1 Type 2 Mean?

SOC now stands for System and Organization Controls. The definition got changed in 2017 from the earlier one as Service Organization Controls as these compliance reports were mainly used for vendor (third-party) compliance audits as these organizations were service organizations. The auditor auditing these service organizations is called a Service Auditor (SOC Auditor).

SOC 1 Type 2 compliance report provides for the operating effectiveness of controls over a period of at least 6 months or 12 months. This is in contrast to certifications such as ISO 27001 which provide a certificate valid for 3 years. For missing periods or periods immediately after the report, some User Entities or User Auditors may insist on a SOC Bridge Letter.

SOC 1 Type 2 Report Comprise of?

The scope of SOC 1 Type 2 compliance reports usually depends on the number of controls reported. The SOC 1 Type 2 report comprises of all the applicable controls for the control objectives in scope, reported by the SOC Auditor (Service Auditor). The SOC 1 Type 2 report now has 4 sections. Section 1 is the Auditor's Opinion, Section II is the Management Assertion, Section III is the Description Criteria or System Description and Section IV is a detailed list of controls as per applicable control objectives along with the results of the auditors' test of controls. Unlike a SOC 2 Type 2 report, SOC 1 does not cover the Trust Services Criteria of Security(Common Criteria), Availability, Confidentiality, Processing Integrity, and Privacy (formerly known as the Generally Accepted Privacy Principles-GAPP) by AICPA.

To issue a SOC 1 compliance report for a public (listed) entity, the CPA firm must be Registered with the PCAOB.

SOC 1 vs SOC 2 the major difference is the kind of data being processed or stored by the service organization. If it is financial data for ICFR a SOC 1 report is used. In all other cases, a SOC 2 report is used.

The SOC 1 report can be qualified or unqualified.

A SOC 1 report can be shared only with the Management of the Service Organization, User Entities, and User Auditors against an NDA, or a confidentiality agreement. AICPA allows the use of the SOC logo on the client's website.