.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
What is the Difference Between a SOC 1 and a SOC 2 Report?
Understand the difference between SOC 1 and SOC 2 and how SOC for supply chain reporting helps assess controls, risk, and service provider reliability.
Accorp Compliance Team
Our team of compliance experts specializes in PCI DSS, SOC 2, and other security frameworks to help businesses achieve and maintain compliance.
SOC 1 and SOC 2 reports can have a lot of overlap in the control activities that are covered in the report. However, the guidance falls under different AICPA standards, and the intended reader of the report has an impact on whether a SOC 1 or SOC 2 is needed.
SOC 1 Reports
A SOC 1 report falls under the Statement on Standards for Attesttaion Engagements (SSAE) 18 AT-C 320 (formerly SSAE 16 or AT 801). It is named a SOC 1 versus the name of the standard (reports are NOT called SSAE 18s). A SOC 1 report has a financial focus that includes a service organization’s controls relevant to an audit of a service organization’s client’s financials. The service organization (with the assistance of the auditors) will define the control objectives are for relevant for the services they are providing to their clients. Control objectives will be related to both information technology processes and business processes at the service organization.
SOC 2 Reports
A SOC 2 report also falls under the SSAE 18 standard AT-C 105 and the SSAE 21 standard AT-C 205. The SOC 2 report includes a service organization’s controls that are outlined by the AICPA’s Trust Service Criteria (TSC), and that are relevant to its services, operations, and compliance.
The difference between SOC 1 and SOC 2 in reference to these controls and criteria are as follows:
· In a SOC 2, controls meeting the criteria are identified and tested.
· In a SOC 1, controls meeting the identified control objectives are tested.
