SOC 1 and SOC 2 Reports
SOC 1 reports address controls at a service organization relevant to user entities' financial reporting, while SOC 2 reports address controls related to security, availability, processing integrity, confidentiality, and privacy.
Explanation
SOC 1 engagements are performed under SSAE 18 (AT-C 320) and are used by user entity auditors to evaluate the impact of a service organization's controls on financial statements. SOC 2 engagements evaluate controls against the AICPA Trust Services Criteria. Both come in Type 1 (design at a point in time) and Type 2 (design and operating effectiveness over a period). SOC 3 is a general-use version of SOC 2 with a simplified report suitable for public distribution.
Key Points
- •SOC 1: ICFR-relevant controls (SSAE 18); SOC 2: Trust Services Criteria
- •Type 1 = point in time; Type 2 = period of time
- •SOC 3 is a general-use report derived from SOC 2 criteria
Exam Tip
SOC 1 is for financial reporting controls; SOC 2 is for operational controls (security, availability, etc.). Don't confuse which report serves which purpose.
Frequently Asked Questions
Related Topics
IT General Controls (ITGCs)
IT general controls are policies and procedures that apply broadly across an organization's IT environment to ensure the proper operation of information systems and the integrity of data.
Cybersecurity Frameworks
Cybersecurity frameworks are structured sets of guidelines and best practices that organizations use to manage and reduce cybersecurity risk.
Test your knowledge
Practice scenario-based questions on this topic with detailed explanations.