What’s a better fit?
An SOC 1 or an SOC 2?
The general term for third-party risk reporting by service organizations to user organizations is Systems and Organization Control Report or SOC report. This term originates from the American Institute of Certified Public Accountants (AICPA) as a replacement for the SAS70 framework.
These were previously called Service Organization Control reports. SOC is a series of reports originating in the US. ISAE 3402 aligns with the American Statement on Standards for Attestation Engagements (SSAE) 18 American standard. An ISAE 3402 report provides assurance on the description of a service organization’s system and the suitability of the design and operation of its internal control measures through a Service Auditor’s Report.
ISAE 3402 | SOC 1
In an ISAE 3402 | SOC 1 report, organizations define their own control objectives and controls and align them with customer needs. The scope of an ISAE 3402 typically includes all operational and financial controls affecting financial statements and general IT controls (e.g., security management, physical and logical security, change management, incident management, and system monitoring). In other words, if an organization hosts financial information that may affect your customer’s financial reporting, then an ISAE 3402 | SOC 1 audit report is the most logical for an organization to pursue and is likely to be requested. The ITGCs, operational controls, and financial controls are audited under the ISAE 3402 | SOC 1 framework.
In an SOC 1 audit, controls, used to accurately represent internal control over financial reporting (ICOFR), must be included if the organization is subject to SEC filings in the US.
Since the most important suppliers to financial institutions where IT service providers and, at a later stage, Cloud Service providers and data center/hosting providers have gained ground in the IT industry, SAS70, SSAE 18 SOC 1, and ISAE 3402 have become the most comprehensive and transparent standard for IT outsourcing and risk excellence. Organizations requiring an ISAE 3402 | SOC 1 report often consider ISAE 3000 | SOC 2 reports.
ISAE 3000 | SOC 2
ISAE 3000 | SOC 2 reports apply the Trust Services Principles and Criteria (TSPs). The TSPs are a set of specific requirements developed by the AICPA and Canadian Institute of Chartered Accountants (CICA) to provide assurance over security, availability, confidentiality, processing integrity, and privacy. An organization can choose the various aspects relevant to their customer’s needs. An ISAE 3000 | SOC 2 report may cover one or more principles. If your organization hosts or processes other types of information for your customers that do not affect their financial reporting, then an ISAE 3000 | SOC 2 is more relevant. In this case, your customers are likely concerned whether you handle their data securely and if it’s available to them as agreed upon. An SOC 2 report, similar to an SOC 1 report, evaluates internal controls, policies, and procedures.
SOC 1 OR SOC 2?
Organizations processing, hosting, or managing systems or information affecting financial reporting must always provide an ISAE 3402 | SOC 1. ISAE 3000 | SOC 2 applies when all systems and processes are unrelated to financial reporting. Data center, IaaS, PaaS providers typically report hybrid, with both an ISAE 3402 | SOC 1 for financial processes and systems and ISAE 3000 | SOC 2 for unrelated processes and systems. The content of both reports will be identical.