What suits my organization better?
SOC 1 or SOC 2?
The SSAE18 standard (AICPA) from the United States includes two types of reports; a Service Organization Control Report 1 (SOC 1) and a Service Organization Control Report 2 (SOC 2). This terminology is increasingly being used internationally. An ISAE 3402 report is within this terminology a SOC 1 report, an ISAE 3000 report is a SOC 2 report.
An ISAE 3402 report is a report on how the service provider manages risks over the processes that are outsourced. Outsourcing, and more specifically financial processes, are the framework for this report. An alternative to this report is the SOC 2 report where outsourcing is not the primary framework, but rather information security. The criteria for information security and privacy are included in the Trust Service Criteria. Criteria related to security, privacy, availability, and confidentiality. Additionally, there is a SOC 3 report.
Do I need an SOC 1?
A Service Organization Control 1 is an audit of internal controls focused on securing client data. SOC 1 audits are conducted according to Statement on Standards for Attestation Engagements No. 16 (SSAE 16). A SOC 1 includes control objectives used for internal control over financial reporting. The financial statements are thus the framework for this report. This means that all processes are designed to ensure that all data in the financial statements is accurate and complete.
In other words; if you process or host data related to a financial process, then SOC 1 is applicable.
Do I need an SOC 2?
If you process or host data that do not affect your clients’ financial statements, then SOC 2 is applicable. In this case, your clients are mainly interested in whether you handle information security and privacy correctly.
In an SOC 2 report, similar to an SOC 1 report, internal control measures are included.
Which type of report is best for me now: SOC 1 or SOC 2?
An important difference is that privacy is not mandatory in an SOC 1 and in an SOC 2 based on the Trust Service Criteria, it is. If you have clients falling into both categories, there is a reasonable chance that you will be asked to provide both. You can determine whether you need an SOC 1 or SOC 2 report to fulfill the needs of a wide variety of clients. Risklane offers a unique Online Audit Tool (ControlReports) that supports you in integrating the SOC 1 and SOC 2 audits, resulting in two separate reports. At no extra cost.
If you want more information about the impact of SOC 1 (ISAE 3402), SOC 2 (ISAE3000) for your organization, please contact Securance (+31) 030 2800888.