SOC 1*, SOC 2~, or Both

**SOC 1*, SOC 2~, or Both**

How should a company decide on whether to have a SOC 1 or a SOC 2, or when it is appropriate to have both? The company should consider its creditors, investors, regulators, and the concerned parties that rely on the information that will be provided by the results of the SOC 1 or SOC 2 engagements. In addition, the company would be wise to consider its customers and their expectations on how the company will use their information, especially given the new European Union’s general data protection regulation (GDPR)) effective May 25, 2018.

SOC 1

A SOC 1 engagement provides assurance on financial information and assesses internal controls over financial reporting. This engagement is appropriate if the company, as a service to other companies, provides transaction support that directly or indirectly impacts the completeness, accuracy, validity, and access controls associated with financial information (COSO, SOC, ISO 27001)..

SOC 2

A SOC 2 engagement provides assurance on what the American Institute of Certified Public Accountants describes as Trust Service Principles. Namely; security, availability, data processing integrity, confidentiality, and privacy. There are some overlaps between the controls that are assessed in SOC 1 and SOC 2 engagements. However, there are some very distinct differences that must not be ignored. The SOC 2 engagement is appropriate if the company handles any information that a reasonable person would consider sensitive (COSO, SOC, ISO 27001)..

Both SOC 1 & SOC 2

SOC 1 and SOC 2 engagements are necessary together when a company provides transaction support that directly or indirectly impacts their clients’ financial information in addition to handling other information that a reasonable person would consider sensitive (COSO, SOC, ISO 27001).

Creditors, Investors, Regulators, & Customers

People want to know that you are treating them with dignity and respect when they engage with you in business. Transparency is critical in how you demonstrate your commitment to treating stakeholders with dignity and respect, so if your company provides transaction support for financial information and handles sensitive data, it is incumbent upon you to engage an independent third-party to provide the compelling evidence of that commitment and demonstrate that you are not just talk. Keep in mind that the EU through the GDPR is sending a clear message.

Important

Contact CompVisory and we will provide you with a readiness assessment, and then a SOC 1, a SOC 2, or both depending on the result of the assessment.

*Service organization controls engagement cover internal controls over financial reporting relevant to user organizations.
~Service organization controls engagement covering security, availability, processing integrity, confidentiality or privacy.