The SOC 1 vs. SOC 2 discussion is well under way, thanks in large part to the American Institute of Certified Public Accountants' ( AICPA) launch of their new service organization reporting platform, known as the SOC framework. Officially, SOC standards for "Service Organization Control", which allows qualified practitioners (i.e., licensed and registered Certified Public Accountants) to issue SOC 1, SOC 2, and/or SOC 3 reports. With the SSAE 16 standard (which is used for issuing SOC 1 reports) effectively replacing the longstanding SAS 70 auditing standard for reporting periods ending on or after June 15, 2011, there's been much debate regarding SOC 1 vs. SOC 2, specifically, when are they applicable, what is the respective scope for each, and what similarities or differences do they each share.
Service Organization Control (SOC) 1 reports are to be conducted in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, the AICPA "attest" standard that, not only replaced SAS 70, but was intended to reinforce SAS 70's true intent, which was an audit conducted over "internal controls over financial reporting", more commonly known as the ICFR concept. Because SAS 70 strayed heavily from its intended use, the newly formed SOC framework placed great emphasis on the ICFR component for service organization reporting, thus advocating service organizations to opt for a SOC 1 (for which you can obtain an SSAE 16 Type 1 or Type 2 report) only if your organization has a true relationship and/or nexus with ICFR. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
7. Provide a Written Statement of Assertion-Yet another requirement for SOC 2 compliance is providing the service auditor (i.e., the CPA performing the SOC 2 engagement) with a written statement of assertion. This assertion, which was never a requirement for SAS 70, is essentially a document whereby management (of the service organization) is essentially "asserting" to a number of different provisions regarding their overall control environment.
8. SOC 2 is Criteria based, not control objective based-What this means is that unlike SOC 1 (SSAE 16) reports, which list control objectives for reporting and, ultimately, testing on, SOC 2 reporting is "criteria" based and requires a practitioner to use one of (or all) of the five Trust Service Principles (TSP) for the scope of the engagement. Thus, for illustrative purpose, you should not find language such as "controls provide reasonable assurance that...." in a SOC 2 report, rather, a listing of the "criteria" and a description of what is in place for meeting the applicable criteria for each of the defined Trust Services Principles.
4. Learn about AT Section 101-If you are a service organization embarking on SOC 2 compliance, then you'll need to take a few moments and understand the technical aspects of AT Section 101. In short, AT Section 101 is the professional AICPA standard used for allowing a practitioner to report on subject matter other than financial statements, such as that of issuing a SOC 2 report. And lastly, a practitioner performing an engagement in accordance with AT Section 101 is to adhere to the following five (5) general standards: (1). The practitioner must have adequate technical training and proficiency to perform the attestation engagement. (2). The practitioner must have adequate knowledge of the subject matter. (3). The practitioner must have reason to believe that the subject matter is capable of evaluation against criteria that are suitable and available to users.(4). The practitioner must maintain independence in mental attitude in all matters relating to the engagement.(5). The practitioner must exercise due professional care in the planning and performance of the engagement and the preparation of the report.
1. Understand the reporting platform of the AICPA Service Organization Control (SOC) framework-The newly formed Service Organization Control (SOC) framework, put forth by the American Institute of Certified Public Accountants (AICPA), seeks to fundamentally reshape reporting requirements for today's complex and ever-changing service organization entities. Specifically, three (3) reporting options were adopted, resulting in SOC 1, SOC 2, and SOC 3. While SOC 1 reports are to utilize the SSAE 16 standard for reporting on controls, SOC 2 and SOC 3 reports, which are geared towards technology and cloud computing companies, are to utilize the Trust Services Principles (TSP) in accordance with the AT Section 101 professional standard.
2. Learn about the Trust Services Principles (TSP) framework-Unlike the historical SAS 70 auditing standard or the current SSAE 16 attestation standard, the framework for a Service Organization Control (SOC) 2 report is "criteria" based, whereby a practitioner is engaged to examine and report on a service organization's controls over one or more of the following five (5) Trust Services Principles (TSP):