Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

SOC 1, SOC 2, and SOC 3 Reports: Type 1, Type 2, or Readiness Assessment?

Published 08/26/2022

SOC 1, SOC 2, and SOC 3 Reports: Type 1, Type 2, or Readiness Assessment?

Originally published by A-LIGN here.

Written by Alex Welsh, Manager, ISO Practice, A-LIGN.

SOC reports are gaining in popularity across industries and across the globe. More and more customers are asking for demonstrated SOC compliance, and independent cybersecurity control validation and attestation are becoming necessary to compete for high-priority contracts. Beyond customer demand, SOC reports ensure that controls are properly implemented and used within your organization, greatly reducing potential security threats.

For organizations seeking a SOC 1, SOC 2, or SOC 3 report, there are two attestation options available: Type 1 and Type 2. Additionally, a readiness assessment can be performed to prepare your organization for the attestation.

With so many options, what type is best for your organization to prove compliance? Our experienced assessors break down the options so the path to compliance is clear between SOC 1, SOC 2 and SOC 3. We then dive into the various types of SOC reports: Type 1, Type 2 and a readiness assessment.

SOC 1 Report

A SOC 1 report follows the guidance outlined in the Statement on Standards for Attestation Agreements, which focuses on the internal controls that have an impact on the financially relevant systems and reporting. The main goal of a SOC 1 report is to ensure the controls identified by the organization are in place and/or operating effectively to appropriately address the risk of inaccurately reporting financials.

SOC 2 Report

A SOC 2 report highlights the controls in place that protect and secure an organization’s system or services used by its customers. Unlike a SOC 1, the scope of a SOC 2 examination extends beyond the systems that have a financial impact, reaching all systems and tools used in support of the organization’s system or services. The security of your environment is based on the requirements within a SOC 2 examination, known as the Trust Services Criteria (TSC). The TSC are based on upon the American Institute of Certified Public Accountants (AICPA) and consist of five categories:

  • Common Criteria/Security (required)
  • Availability (optional)
  • Processing Integrity (optional)
  • Confidentiality (optional)
  • Privacy (optional)

SOC 3 Report

A SOC 3 report is coupled with a SOC 2 report and is a scaled-down version of the SOC 2 report. The report is intended for a broader public audience including prospective customers and stakeholders. The SOC 2 report provides greater detail regarding the organization’s controls and operations. A SOC 3 report is effectively a summary of the SOC 2 report that provides less technical information, making it suitable for an organization to share publicly on its website or to hand out to prospective customers.

Readiness Assessment

A readiness assessment measures your organization’s level of preparedness for a Type 1 or Type 2 assessment. Used for internal purposes, this assessment provides your organization with a greater understanding of the demands of a SOC audit. The deliverables include a listing of your current controls, as well as identification of recommendations that should be implemented to enhance your environment prior to the full assessment.

We recommend completing our SOC Readiness Checklist before undergoing a readiness assessment to see how close your organization is to reaching its requirements for a SOC audit. Regardless of your results, you will have a clear understanding of if you are ready to move forward with a SOC examination or if you should continue to prepare.

A readiness assessment allows you to save time and resources by truly being prepared for your SOC examination. While you cannot technically “fail” a SOC examination, your report opinion can be noted as “modified” or “qualified”, which may result in a negative perception by your executive team and stakeholders.

SOC Type 1 Report

With a SOC Type 1 report, your organization’s controls are assessed at a specific point in time. This report acts as a snapshot of your environment to determine and demonstrate if the controls are suitably designed and in place. For example, we will take a sample terminated employee and confirm that their access was properly revoked and documented via a ticketing system.

A Type 1 report has the following characteristics:

  • Description of your organization’s system as a whole
  • Assesses the design of your organization’s internal controls
  • Tests a specific point in time

A Type 1 report does not provide an evaluation of how effective your controls are over an extended period of time because it’s only looking at the controls as they exist at that given date.

SOC Type 2 Report

For a SOC Type 2 report, your organization’s controls are assessed over a period of time, typically a twelve-month review period. Unlike Type 1, a Type 2 report acts as a historical review of your environment to determine and demonstrate if the controls are suitably designed and in place, as well as operating effectively over time. The audit process will include sample testing within the review period to determine if your organization’s controls are operating effectively. For instance, we will take a sample of employees from the population of terminated personnel and confirm that their access was properly revoked and documented via the ticketing system during the agreed-upon review period.

A Type 2 report has the following characteristics:

  • Description of your organization’s system as a whole
  • Assesses the design of your organization’s controls, as well as their operating effectiveness
  • Focuses on a period of time in which the controls are operating
  • Features detailed descriptions of the auditor’s tests and test results of the controls

Since a Type 2 report is more granular and comprehensive than a Type 1 report, it often provides your clients with a higher level of assurance. In today’s cybersecurity landscape, it’s commonplace for vendors, partners or customers to request that your organization earn a SOC 2 report as the cost of doing business.

Share this content on your favorite social network today!