SOC 1 & SOC 2
The primary and widely used term for service organizations reporting on third-party risks to user organizations is the Systems and Organization Control Report, often referred to as the SOC report. This term was introduced by the American Institute of Certified Public Accountants (AICPA) as a replacement for the SAS70 framework.
Previously, these were known as Service Organization Control reports. SOC encompasses a suite of reports that originated in the United States. ISAE 3402 is aligned with the US Statement on Standards for Attestation Engagements (SSAE) 18 US standard. An ISAE 3402 report delivers assurance on a service organization’s system description and the appropriateness of its control design and operational effectiveness as presented in a Service Auditor’s Report.
ISAE 3402 | SOC 1: In an ISAE 3402 | SOC 1 report, organizations establish their own control objectives and controls and align them with customer requirements. The scope of an ISAE 3402 report typically includes all operational and financial controls that impact financial statements, as well as IT General Controls (e.g., security management, physical and logical security, change management, incident management, and systems monitoring). In essence, if an organization hosts financial information that could affect its client’s financial reporting, pursuing an ISAE 3402 | SOC 1 audit report is the most logical choice and is often requested. ITGCs, operational controls, and financial controls fall within the purview of an ISAE 3402 | SOC 1 audit.
SOC 1: In a SOC 1 audit, control objectives essential for accurately representing internal control over financial reporting (ICOFR) are required. Organizations subject to SEC filings in the United States typically include these objectives.
Given the importance of IT service providers, cloud service providers, and datacenter/housing providers as key suppliers to financial institutions, standards like SAS70, SSAE 18 SOC 1, and ISAE 3402 have gained significant prominence in the IT industry. They have become the most comprehensive and transparent standards for effective IT outsourcing and risk management. Organizations seeking an ISAE 3402 | SOC 1 report often contemplate ISAE 3000 | SOC 2 reports.
ISAE 3000 | SOC 2: In ISAE 3000 | SOC 2 reports, the Trust Services Principles and Criteria (TSPs) are applied. These TSPs consist of specific requirements developed by the AICPA and Canadian Institute of Chartered Accountants (CICA) to provide assurance concerning security, availability, confidentiality, processing integrity, and privacy. An organization can select the specific aspects that align with their customers’ needs. An ISAE 3000 | SOC 2 report may encompass one or more principles. When an organization handles various types of information for clients that do not impact financial reporting, an ISAE 3000 | SOC 2 report is more relevant. In such cases, clients are primarily concerned about the secure handling and availability of their data as stipulated in their agreements. A SOC 2 report, like a SOC 1 report, evaluates internal controls, policies, and procedures.
SOC 1 or SOC 2: Organizations that manage, process, or host systems or information affecting financial reporting should invariably provide an ISAE 3402 | SOC 1 report. ISAE 3000 | SOC 2 is suitable when all systems and processes are unrelated to financial reporting. Datacenter providers, Infrastructure as a Service (IaaS) providers, and Platform as a Service (PaaS) providers often issue hybrid reports, incorporating both an ISAE 3402 | SOC 1 for finance-related processes and systems and an ISAE 3000 | SOC 2 for unrelated processes and systems. The content of both reports is typically identical.