AICPA SOC 1,2,3 Compliance Audit Reports

One of the most important reports for third party (vendor) and SOX compliance is the SOC 1 or SOC 2 Type 2 compliance audit. The SOC 1 or SOC 2 Type 2 compliance audit (attest) report provides for assurance. SOC compliance audit reports are part of AICPA's SSAE 18 Attest Standard that is used for the SOC 1, SOC 2, and SOC 3 reports. Since 1992, these reports have been known as SAS 70 audit reports. In 2011 the SOC 1 was brought under SSAE 16 Standard and SOC 2 under AT 101. Finally, in 2017 the SSAE 16 along with other SSAE standards got merged into one SSAE 18, bringing all SOC 1, SOC 2 and SOC 3 reports under SSAE 18. This is the main difference between SSAE 16 vs 18 pertaining to SOC compliance reports.

SOC stands for "System and Organization Controls" formerly known as "Service Organization Controls". The definition was changed in 2017 along with the updated Trust Services Criteria.The SOC compliance reports were mainly being used for vendor(third-party) compliance audits as these organizations were service organizations. The auditor auditing these service organizations is called Service Auditor (SOC Auditor).

Ecom Infotech

A SOC 1 or SOC 2 Type 2 compliance report provides for operating effectiveness of controls over a period such as 6 months or 12 months in contrast to certifications such as ISO/IEC 27001 that provides a certificate which is valid for 3 years (SOC 2 vs ISO27001). For missing periods immediately after the report, some User Entities or User Auditors may insist on a SOC Bridge Letter. A SOC compliance report usually is about 100 pages depending on the controls reported on. The SOC Audit report comprises of all the applicable controls objectives or criteria that are reported by the SOC Auditor (Service Auditor). SOC 1 is mainly used for financial data reporting (ICFR) and SOC for non-finaincial data. SOC 1 vs SOC 2 is on nature of data. A SOC 2 Type 1 or SOC 1 Type 1 compliance report provides for controls implemented at a point in time (as on a specific date).The SOC compliance report can satisfy the need for SOX compliance such as SOX 404. SOC 1 vs SOC 2 is mainly financial or non financial data.

Difference between SOC Type 1 and Type 2- A SOC Type 1 compliance audit report refers to point in time and Type 2 report refers to period of time and controls implemented vs operating effectiveness.The SOC compliance or audit report is now of 4 sections, Section 1 is the Auditors Opinion, Section II is the Management Assertion, Section III is the Description Criteria or System Description and Section IV is a detailed list of controls as per applicable TSC 2017 criteria or the applicable control objectives along with the results of the auditors' test of controls. The SOC compliance report can be qualified or un-qualified.The SOC compliance reports could be carve-in or carve-out depending on sub service organization controls are included or not.

Find out More
Ecom Infotech

Data in the Cloud is causing nightmares to CIO’s and CISO’s – Leading Security Reports

Image Description

Our Cybersecurity Services

Cloud Security Assessment

Cloud Security Audits

Cloud Security Audits for IaaS, PaaS and SaaS on Amazon AWS, Azure, Google platforms covering VAPT and Benchmarking against Standards.

Read More
SOC 2, ISO 27001 and Cloud STAR Audit

SOC 2, ISO 27001 and Cloud STAR Audits

Cloud Security Audits under Cloud Security Alliance to provide SOC 2 Type 2 and ISO 27001 for Cloud STAR Level 2 Complaince with CCM controls.

Read More
Privacy Assessment & Attest Service

Privacy Compliance Services

With hefty Privacy fines, our privacy services can help you stay compliant with mandates such as HIPAA, GDPR, CCPA etc. We also offer your ISO 27701 Certification for Privacy

Read More
Cybersecurity Assessment for Critical Infrastructure

Cybersecurity Assessment for Critical Infrastructure

Our team has experience with large projects relating to NERC-CIP, IEC62443/ISA99, Critical, and Smart Infrastructure Security.

Read More

Our Client Testimonials



FTC imposes USD 5 billion Privacy fine on Facebook relating to Cambridge Analytica

Learn more

A criminal hack affecting bookings made on the airline's website and app.

Learn more

Hackers accessed the reservation database for Marriott's Starwood hotels and copied

Learn more