SOC 1*, SOC 2~, or Both

Dean

SOC 1*, SOC 2~, or Both

How should a company decide on whether to have a SOC 1 or a SOC 2, or when it is appropriate to have both? The company should consider its creditors, investors, regulators, and the concerned parties that rely on the information that will be provided by the results of the SOC 1 or SOC 2 engagements. In addition, the company would be wise to consider its customers and their expectations on how the company will use their information, especially given the new European Union’s general data protection regulation (GDPR)) effective May 25, 2018.

SOC 1

A SOC 1 engagement provides assurance on financial information and assesses internal controls over financial reporting. This engagement is appropriate if the company, as a service to other companies, provides transaction support that directly or indirectly impacts the completeness, accuracy, validity, and access controls associated with financial information (COSO, SOC, ISO 27001)..

SOC 2

A SOC 2 engagement provides assurance on what the American Institute of Certified Public Accountants describes as Trust Service Principles. Namely; security, availability, data processing integrity, confidentiality, and privacy. There are some overlaps between the controls that are assessed in SOC 1 and SOC 2 engagements. However, there are some very distinct differences that must not be ignored. The SOC 2 engagement is appropriate if the company handles any information that a reasonable person would consider sensitive (COSO, SOC, ISO 27001)..

Both SOC 1 & SOC 2

SOC 1 and SOC 2 engagements are necessary together when a company provides transaction support that directly or indirectly impacts their clients’ financial information in addition to handling other information that a reasonable person would consider sensitive (COSO, SOC, ISO 27001).

Creditors, Investors, Regulators, & Customers

People want to know that you are treating them with dignity and respect when they engage with you in business. Transparency is critical in how you demonstrate your commitment to treating stakeholders with dignity and respect, so if your company provides transaction support for financial information and handles sensitive data, it is incumbent upon you to engage an independent third-party to provide the compelling evidence of that commitment and demonstrate that you are not just talk. Keep in mind that the EU through the GDPR is sending a clear message.

Important

Contact CompVisory and we will provide you with a readiness assessment, and then a SOC 1, a SOC 2, or both depending on the result of the assessment.

Contact us today.

*Service organization controls engagement cover internal controls over financial reporting relevant to user organizations.
~Service organization controls engagement covering security, availability, processing integrity, confidentiality or privacy.

Written by 

Dean Brown is a seasoned business professional with 20 years of audit experience. Dean specializes in System and Organization Controls (SOC) audits, which he has been conducting as the principal auditor since 2014. Dean has also conducted numerous controls, IT, operations, compliance and forensic audits over the duration of his career. His experience involves financial, IT, SOC (SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity), operations and compliance audits, examinations, review and consulting engagements. Dean is a subject matter expert in SSAE18/SOC 1, SOC 2 audits, ISO 27001, enterprise risk management, internal controls, information security management systems, and IT governance models. Dean began his career as an auditor at a Big 4 public accounting firm where he audited multiple fortune 500 companies. Later in his role as a lead auditor at a fortune 500 company he managed teams in the United States and Canada and was instrumental in the management and successful completion of a company-wide project that successfully transition the company to a new operating business model. Dean is responsible for crafting, communicating, and reinforcing CompVisory’s vision and mission, and empowering the CompVisory team with the guidance and resources necessary for their achievement.

Visit Website