SOC 1 vs. SOC 2: Which report is right for you? | Assure Professional
Call Us Today!1-888-605-9848

Blog - SOC 1 vs. SOC 2: Which report is right for you?

Learn more about the latest news and information regarding audits, accounting, and IT consulting for various industries in our blog, reports, and whitepapers.

You are here

SOC 1 vs. SOC 2: Which report is right for you?


Companies are often confused by what type of report is right for their organization and what the differences are between the audits.  A general rule of thumb is to ask yourself, "Do the services we provide impact the financial statements of our customers?"  If the answer is a definitive "yes," then it is likely a SSAE 16 (SOC 1) report is most applicable to your business.  If the answer is "no" and you are providing a service, a SOC 2  is likely the right choice.  That being said, in the current market place we often encounter circumstances where a user (i.e. your client) is requiring a SOC 1 when the report does not appear appropriate.  Before engaging in an audit, we recommend you verify your customer understands the purpose of a SOC 1 versus a SOC 2 report and obtain their sign off on the type before commencing the egagement.  Key differences are as follows:


               SOC 1

                    SOC 2

FOCUS  Internal control over financial reporting

 Operations/IT controls

AUDIENCE User entity and its auditors.  Ask yourself, "Do the services we provide impact the financial statements of our customers?"

User entity, its auditors and other parties who are knowledgeable about:

  • the nature of the service provided by the service organization
  • how the service organization's systems interact with user entity, subservice organizations, and other parties
  • internal controls and their limitations
  • the criteria and how the controls address the criteria
  • Types of transactions
  • Policies and procedures for processing, and reporting transactions
  • Report/deliverable preparation for users
  • Other aspects relevant to processing and reporting user transactions
  • Infrastructure
  • Software
  • Procedures
  • People
  • Data
  • Transaction processing
  • Supporting IT functions
  • Other supporting controls including physical security
  • Security
  • Availability
  • Confidentiality
  • Processing Intergrity 
  • Privacy
FORMAT Control objectives are defined by the service organization, and may vary depending on the service provided.  Control activities are identified that meet the defined objectives.

Principles are selected by service organization.  

Specific pre-defined criteria are used rather than control objectives.  Control activities are identified that meet the criteia.  Typically, the company will need sufficient activities that address each criteria for the in-scope principles.

The below are examples of companies that may typically require a SOC 1 or a SOC 2 report.  As previously discussed, this can be a subjective assessment and for certain companies both types of audits/reports may apply:

                    SOC 1

                    SOC 2

  • Collections
  • Third party administrators
  • Medical billing and other billing organizations
  • Payment processors
  • Freight and other cost auditing services
  • Data Centers
  • Software as a Service (SaaS)
  • Infrastructure as a Service (IaaS)
  • Managed Service Providers (MSP)
  • Other cloud based services
  • Outsourced IT providers







Social Media Share

Recent Blogs

HITRUST® :: What is it? ... Read More
The 5 Biggest Mistakes Businesses Make When Hiring an Accounting Firm ... Read More
Opinions, Opinions, Opinions: Understanding the Auditor's Opinion in a SOC Report ... Read More
S*%t I'd Rather be Doing Other than Accounting Part Deux ... Read More
SSAE 18 ... Read More