SOC 1 and SOC 2: The basics

Picture of Geoffroy De Cooman

Added on by 4 min read


Some of the best daydreams we'll ever have often revolve around scenarios that will never happen. Like, waking up tomorrow having all your regulatory compliance requirements worked out in the palms of your hands. If you're reading this, then you already know that SOC 1 and SOC 2 exist. 

Complying with the SOC requirements enables your organization to provide clients with the necessary confirmation from an auditor who has seen your internal controls in place and operating.

But keeping up with compliance regulations can be demanding - especially if you don’t know where to start. That’s why in this article we’re going to break down the most important things you need to know about  SOC 1 and SOC 2 audits.

SOC 1 and SOC 2 are not the same

Confusing the two audits can be easy. While both compliance frameworks developed by the AICPA verify the controls used within your organization, their focus is different: SOC 1 looks at your organization’s internal control over financial reporting, while SOC 2 focuses on how you secure and protect customer data.

In short, SOC (Service Organization Control) reporting provides essential insight and stakeholder assurance to both internal and external stakeholders by ensuring trust and transparency. Moreover, it's a worthwhile investment for many reasons:

  • You can reduce compliance costs and time spent on audits,
  • It will help you meet contractual obligations through customized reporting, and
  • It will enable you to proactively address the existing risks across your organization.

Let’s go into detail about the two types of reports and their requirements and see how all this affects your business.

What is a SOC 1 report?

A SOC 1 report gives your customers the assurance that your organization’s controls are designed and operating efficiently and that these controls don’t negatively impact their financial statements. 

Previously, the SOC 1 report was called the SAS 70 (Statement on Auditing Standards 70) and was eventually replaced by the Statement on Standards for Attestation Engagements no. 16 (SSAE 16). In May 2017, the SSAE 18 came into effect by including a series of enhancements aimed to increase the usefulness and quality of the SOC 1 reports. 

SOC 1 looks at your organization’s internal control over financial reporting, while SOC 2 focuses on how you secure and protect customer data.

What is a SOC 2 report?

Compared to SOC 1, a SOC 2 report applies to companies that outsource the collection, processing, transmission, storing, maintenance or disposal of their client’s data. Moreover, the SOC 2 is based on 5 criteria called the Trust Services Criteria, which the AICPA defines as:

  1. Security: the information and systems are protected against unauthorized access, unauthorized disclosure of information and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of that information.
  2. Availability: the information and systems are available for operation and use to meet the company’s objectives.
  3. Processing integrity: the system processing is complete, valid, accurate, timely, and authorized.
  4. Confidentiality: the information designated as confidential is efficiently protected to meet the company’s goals.
  5. Privacy: personal information is collected, used, retained, disclosed, and destroyed in accordance with the company’s privacy policy.

AICPA-SOC-2Both SOC 1 and SOC 2 reports come in two forms:

  • Type I reports focus on the evaluation of an organization’s policies and procedures at a specific moment in time. 
  • Type II reports focus on the effectiveness of these policies and procedures over a specified time period (minimum six months).

But how do you know which one you should get for your company?

We’ve got you covered... 

Why is a SOC 1 audit important for your company?

One word comes to mind above all else and that's "trust." 

Now, you may need a SOC 1 report because a client is requesting it in order to check the security of your services. This isn't something to take personally but rather a great opportunity. Why?

Complying with the SOC requirements enables your organization to provide clients with the confirmation from an auditor who's seen your internal controls in place and operating. This is invaluable in building trust.

Examples of service organizations that may provide a SOC 1 report include payroll processing companies, healthcare benefit processing companies, trust departments of banks and insurance companies, custodians for investment companies, and mortgage servicers, or depository institutions that service loans for others.

Moreover, you may also need to comply with SOC 1 as part of a compliance requirement. For example, if your company is publicly traded, you will have to undergo a SOC 1 audit as part of the Sarbanes-Oxley Act (SOX).

Lastly, the use of the report is restricted to the management of the service organization, user entities, and user auditors.

Why is a SOC 2 audit important for your company?

If your organization doesn’t process financial data but processes or stores other types of personal data, a SOC 2 report is required. Considering that today’s business environment is extremely aware and sensitive to data breaches, your clients might want evidence that you are taking adequate measures to protect their data and prevent any leaks.

Furthermore, while SOC 1 simply requires your organization to pass the audit test, the SOC 2 Type II requires the implementation of long-term, ongoing internal practices that will ensure the security of customer information and, in turn, the success of your business.

In general, companies that define themselves as financial services technology providers, cloud service providers, healthcare providers, and data center hosting service providers should consider getting SOC 2-certified. 

In the case of SOC 2, the use of this report “generally” is restricted.

So what does this mean for Proxyclick?

Obtaining our SOC 2 Type II certification was the ultimate way to show that our company’s system is efficiently designed to secure our clients’ sensitive data.

Our certification has been renewed this year, which means we've met the 5 Trust Services Criteria set by the AICPA: 

  • Security - protecting Proxyclick against unauthorized access or changes
  • Availability - ensuring that Proxyclick will be up and running as needed
  • Processing Integrity - performing all visitor transactions correctly
  • Confidentiality - maintaining the privacy of information in the system
  • Privacy - appropriate handling personal data (from visitors and hosts)

Choosing the right visitor management system means looking into whether or not the solution is SOC 2 Type II certified. 

Being proactive is the key to compliance

All in all, undergoing a SOC 1 or a SOC 2 audit is a great way to stay proactive in your compliance efforts and maintain a competitive advantage within the industry.

These two reports also facilitate customer retention, boost the efficiency of internal processes, and help you avoid fines for non-compliance or from security breaches.

Are you feeling spread too thin in while covering all your bases when it comes to audits and regulations? Check out our guide to regulatory compliance and discover how a visitor management system can help you.

More user-friendly compliance content coming soon, so stay tuned! 



Like this article? Spread the word.