SSAE 18 (SOC 1/SOC 2)
If your company provides services to other companies, those services may have an impact on your customers’ financial reporting. As a result, your customers’ auditors may need assurance that the controls surrounding your services are designed effectively, and in some cases, operating effectively. A way to provide that assurance is by undergoing a Service Organization Control (SOC) audit. SOC 1 and SOC 2 audit reports have distinct differences. In order to determine which one is right for your organization, you must know how they work:
The SOC 1 Report
Also known as the Statement on Standards for Attestation Engagements (SSAE) 18, the SOC 1 report focuses on a service organization’s controls that are likely to be relevant to an audit of a user entity’s (customer’s) financial statements. Control objectives are related to both business process and information technology. A SOC 1 – Type I audit report focuses on a description of a service organization’s control and the suitability of how those controls are designed to achieve the control objectives as of a specified date. A SOC 1 –Type II audit report contains the same opinions as a Type I, but it adds an opinion on the operating effectiveness to achieve related control objectives throughout a specified period. Learn more about SOC 1 Type I and Type II reports here. SOC 1 audit reports are restricted to the management of the services organization, user entities and user auditors.
The SOC 2 Report
The SOC 2 report addresses a service organization’s controls that relate to operations and compliance, as outlined by the AICPA’s Trust Services criteria in relation to availability, security, processing integrity, confidentiality and privacy. A service organization may choose a SOC 2 report that focuses on any one or all five Trust Service principles and may choose either a Type I or a Type II audit. A SOC 2 report includes a detailed description of the service auditor’s test of controls and results. The use of this report is generally restricted.
Do you need help with a SOC strategy? CS360 can help.