AICPA SOC 1,2,3 Compliance Audit Reports
One of the most important reports for third party (vendor) and SOX compliance is the SOC 1 or SOC 2 Type 2 compliance audit. The SOC 1 or SOC 2 Type 2 compliance audit (attest) report provides for assurance. SOC compliance audit reports are part of AICPA's SSAE 18 Attest Standard that is used for the SOC 1, SOC 2, and SOC 3 reports. Since 1992, these reports have been known as SAS 70 audit reports. In 2011 the SOC 1 was brought under SSAE 16 Standard and SOC 2 under AT 101. Finally, in 2017 the SSAE 16 along with other SSAE standards got merged into one SSAE 18, bringing all SOC 1, SOC 2 and SOC 3 reports under SSAE 18. This is the main difference between SSAE 16 vs 18 pertaining to SOC compliance reports.
SOC stands for "System and Organization Controls" formerly known as "Service Organization Controls". The definition was changed in 2017 along with the updated Trust Services Criteria.The SOC compliance reports were mainly being used for vendor(third-party) compliance audits as these organizations were service organizations. The auditor auditing these service organizations is called Service Auditor (SOC Auditor).
A SOC 1 or SOC 2 Type 2 compliance report provides for operating effectiveness of controls over a period such as 6 months or 12 months in contrast to certifications such as ISO/IEC 27001 that provides a certificate which is valid for 3 years (SOC 2 vs ISO27001). For missing periods immediately after the report, some User Entities or User Auditors may insist on a SOC Bridge Letter. A SOC compliance report usually is about 100 pages depending on the controls reported on. The SOC Audit report comprises of all the applicable controls objectives or criteria that are reported by the SOC Auditor (Service Auditor). SOC 1 is mainly used for financial data reporting (ICFR) and SOC for non-finaincial data. SOC 1 vs SOC 2 is on nature of data. A SOC 2 Type 1 or SOC 1 Type 1 compliance report provides for controls implemented at a point in time (as on a specific date).The SOC compliance report can satisfy the need for SOX compliance such as SOX 404. SOC 1 vs SOC 2 is mainly financial or non financial data.
Difference between SOC Type 1 and Type 2- A SOC Type 1 compliance audit report refers to point in time and Type 2 report refers to period of time and controls implemented vs operating effectiveness.The SOC compliance or audit report is now of 4 sections, Section 1 is the Auditors Opinion, Section II is the Management Assertion, Section III is the Description Criteria or System Description and Section IV is a detailed list of controls as per applicable TSC 2017 criteria or the applicable control objectives along with the results of the auditors' test of controls. The SOC compliance report can be qualified or un-qualified.The SOC compliance reports could be carve-in or carve-out depending on sub service organization controls are included or not.
Data in the Cloud is causing nightmares to CIO’s and CISO’s – Leading Security Reports
Our Cybersecurity Services
Cloud Security Audits
Cloud Security Audits for IaaS, PaaS and SaaS on Amazon AWS, Azure, Google platforms covering VAPT and Benchmarking against Standards.Read More
SOC 2, ISO 27001 and Cloud STAR Audits
Cloud Security Audits under Cloud Security Alliance to provide SOC 2 Type 2 and ISO 27001 for Cloud STAR Level 2 Complaince with CCM controls.Read More
Privacy Compliance Services
With hefty Privacy fines, our privacy services can help you stay compliant with mandates such as HIPAA, GDPR, CCPA etc. We also offer your ISO 27701 Certification for PrivacyRead More
Cybersecurity Assessment for Critical Infrastructure
Our team has experience with large projects relating to NERC-CIP, IEC62443/ISA99, Critical, and Smart Infrastructure Security.Read More
Our Client Testimonials
Ecom Infotech is conducting SOC-2 Audit for Ricoh Data Centres and Cloud Services since last 3 years. Audit done by your team were always completed in a timely & professional manner.
Subsequent informal discussions with your good self & knowledge sharing sessions on Network- Security domain with the teams on regular intervals are appreciable.
It’s great to have business association with Accedere Inc
We at Jio Data Center Operations, Would like thank and extend our sincere appreciation for all your devoted contributions & commitment towards our SSAE18 SOC 1 & 2 certification process.
As an industry veteran along with your deep knowledge of the domain, You have made the entire process so seamless especially considering the number of functions & controls involved. You have also helped us to create integrated controls. You have been so diligent, honest and systematic in approach throughout the process.
We thank you once again and look forward for sustaining partnership. Wishing you all the best!!!