All Posts

    Eyal Katz Eyal Katz
    Apr 21 8 min read

    SOC 1 or SOC 2, which should you comply with and why?

    Organizations today are more vulnerable than ever to cyberattacks and data breaches. Whether the attack is executed by an external actor or an insider, the unauthorized intrusion comes at a great cost. 

    This cost may differ, depending on several factors. These include the cause of the breach, the actions taken to remediate the incident, whether there is a history of data infringements, what data was compromised, and how the organization aligned with the authorities and regulators.

    Regardless, a breach is not something any organization can really afford. According to a recent IBM report, data breaches average at a cost of $3.86 million per breach and last for 280 days. Clearly, the financial damage is great.

    When establishing the requisite security controls to prevent attacks and accelerate remediation when they do occur? There is another kind of damage that must be taken into consideration - reputational damage. If potential customers and partners become sufficiently weary of the organization’s (in)ability to protect their data? They will take their business elsewhere.

    This is why audit and reporting frameworks have been put in place. Security auditing and reporting frameworks are designed to align organizations around global and reliable standards. Moreover, they enable organizations to attest to the validity of their security controls, as well as to the robustness of their implementation.

    In this post, we will be taking a look at the two most common frameworks – SOC 1 and SOC 2, how they are different, and which you may need for different objectives. 

    What is SOC?

    SOC is an acronym for System and Organization Controls. These controls constitute a series of standards that were designed by the American Institute of Certified Public Accountants (AICPA). They intend to help measure how well an organization conducts and regulates its information, whether financial, customer-related, or other. 


    aicpa soc

    Ultimately, the goal of SOC standards is to assure customers and third parties that the service providers with whom they engage do indeed have the requisite procedures in place for safeguarding their data

    As such, the SOC audit is designed to evaluate how well a company is meeting these standards. 

    There are several types of SOC audits, including SOC 1, SOC 2, SOC 3, and SOC for cybersecurity.

    soc reporting options

    What are SOC reports?

    The SOC report is the outcome of the audit. Its objective is to provide a thorough, consistent, and unbiased overview of how in-scope a company is with the relevant standards

    It communicates to external stakeholders about the policies and procedures that are in place and how well these are followed so that the potential risk of engagement may be accurately assessed. 

    The reports that are part of the SOC framework are as follows:

    SOC 1, which reports on controls related to financial reporting.

    SOC 2, which builds on SOC 1 but also covers procedures for organizational oversight, risk management, vendor management, and regulatory oversight

    SOC 3, which is a simplified version of SOC 2, requiring less formalized documentation.

    SOC for cybersecurity, which is a voluntary framework designed to help organizations communicate the cybersecurity risk management programs they have in place and the effectiveness of their programs’ controls. 

    Moreover, it should be noted that SOC 2 reports do allow for flexibility to incorporate additional criteria, such as those relating to industry-specific frameworks such as the HITRUST CSF (of the Health Information Trust Alliance), HIPAA (for protecting sensitive patient health information), and NIST (standards for the security of information systems at federal agencies).

    soc1 vs soc2

    What is SOC 1?

    According to AICPA, a SOC 1 report conveys how well an organization’s internal controls over accounting and financial reporting are designed, their efficacy, and whether they help the organization meet its financial goals.

    SOC 1 reports are targeted at the management teams of the organization’s customers and external auditors.

    There are two types of SOC 1 reports:

    SOC 1 Type I is intended to demonstrate that internal controls are designed well enough to effectively prevent mistakes regarding financial transactions and statement data, with testing being done at one point in time.

    SOC 1 Type II, unlike Type 1, tests the operating effectiveness of internal business and IT controls and is designed to mitigate the risk of a financial inaccuracy, with testing being done over time.

    What is SOC 2?

    SOC 2 is the most sought-after report as it is a must when dealing with technology services. It covers:

    • System security 
    • System processing integrity 
    • System availability
    • Privacy in collecting, retaining, using, disclosing, and disposing of personal information for user entities
    • Confidentiality of information that the system processes or maintains for user entities

    SOC also has two types of reports:

    SOC 2 Type I reviews policies and procedures at a specific point in time. 

    SOC 2 Type II is more rigorous in that it covers policies and procedures over a period of time, where systems must be evaluated for at least six months.


    soc2 timeline

    The readers and users of SOC 2 reports include, as with SOC 1 – the customer’s management team, but also prospective customers, business partners, external auditors, and regulators.

    Key differences between SOC 1 and SOC 2

    As we have seen, SOC 1 and SOC 2 do differ from one another. Below is a quick summary of these differences:


    SOC 1

    SOC 2

    The relevant standards

    SSAE No. 16, Reporting on Controls at a Service Organization AICPA Guide, Applying SSAE No. 16, Reporting on Controls at a Service Organization

    AT 101, Attestation Engagements AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy

    The subject matter

    Controls relevant to user entities and internal control over financial reporting

    Controls relevant to security, availability, processing integrity confidentiality, or privacy, often including controls relating to cloud and data storage

    Control objectives

    Assuring the integrity of IT and business processes for securing customer information

    Assuring the integrity of security, processing integrity, availability, confidentiality, and privacy 

    Target audience

    External auditors, management at customer organization, and CPAs

    Management at customer organization, prospective customers, business partners, external auditors, and compliance regulators

    Control objectives specification

    By the service organization itself

    Per a standardized set of criteria for each report principle 


    A description of the service organization’s system, an opinion on the fairness of the presentation, the suitability of the design of the controls; in Type II reports, there are also the operating effectiveness of the controls, a description of the service auditor’s tests of the controls, and the results of the tests.

    A description of the system and an opinion on the fairness of the suitability of the design of the controls; in a Type II report, there is also the operating effectiveness of the controls, and a description of the service auditor’s tests of controls, and the results of the tests.


    SOC 1, SOC 2, or both?

    So, now the natural question is what kind of SOC audit should an organization perform – SOC 1, SOC 2, or both?

    For starters, both audits provide transparency about the service organization’s controls. Determining which is needed depends on multiple factors including – whether or not the organization offers multiple services, whether or not it operates out of multiple locations, and how customers use the organization’s services.

    Ultimately, a SOC 1 certification should be pursued by an organization that provides solutions and services that may impact its clients’ internal controls over financial reporting, for example – providers of billing and collections data-related software.

    SOC 2, on the other hand, is not mandated by regulations as PCI-DSS or HIPAA. Nevertheless, organizations that process or host sensitive data, will need to demonstrate that they are taking the required precautions to protect this data and prevent breaches. 


    In today’s world of increasing cybercrime and data breach frequency? SOC 2 in particular is not a nice-to-have, it’s a must-have.

    SOC 1 vs SOC 2

    Having the right controls in place as well as the ability to demonstrate that they are effective, robust, and reliable via SOC 1 and SOC 2 reporting? Directly impacts market competitiveness, organizational stability, and brand equity. 

    While the two reports may seem to be similar at first, as we have seen – they are different. SOC 1 focuses on a company’s financial processes and reporting, and SOC 2 on how a company secures its data and technology systems

    Regardless of which most resonates most with your business needs, there is no doubt that SOC is relevant for everyone.

    To learn more about how Exigence can help you improve the robustness of your breach remediation and reporting for your next SOC 2 audit, check out the our homepage.

    cybersecurity incident

    cybersecurity incident