The SOC 1 vs. SOC 2 discussion is well under way, thanks in large part to the American Institute of Certified Public Accountants' ( AICPA) launch of their new service organization reporting platform, known as the SOC framework. Officially, SOC standards for "Service Organization Control", which allows qualified practitioners (i.e., licensed and registered Certified Public Accountants) to issue SOC 1, SOC 2, and/or SOC 3 reports. With the SSAE 16 standard (which is used for issuing SOC 1 reports) effectively replacing the longstanding SAS 70 auditing standard for reporting periods ending on or after June 15, 2011, there's been much debate regarding SOC 1 vs. SOC 2, specifically, when are they applicable, what is the respective scope for each, and what similarities or differences do they each share.
Service Organization Control (SOC) 1 reports are to be conducted in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, the AICPA "attest" standard that, not only replaced SAS 70, but was intended to reinforce SAS 70's true intent, which was an audit conducted over "internal controls over financial reporting", more commonly known as the ICFR concept. Because SAS 70 strayed heavily from its intended use, the newly formed SOC framework placed great emphasis on the ICFR component for service organization reporting, thus advocating service organizations to opt for a SOC 1 (for which you can obtain an SSAE 16 Type 1 or Type 2 report) only if your organization has a true relationship and/or nexus with ICFR. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.