SOC 2 evolved from the Statement on Auditing Standards (SAS) 70, an old audit that Certified Public Accountants (CPAs) used to assess the effectiveness of an organization’s internal controls.
While security was included under the umbrella of internal controls, it came to the attention of the American Institute of Certified Public Accountants (AICPA) that some organizations were offering SAS 70 reports as proof they were safe to work with. In response, AICPA replaced SAS 70 with the Statement on Standards for Attestation Engagements (SSAE) 16 report, which was later renamed Systems and Organizations Controls 1 (SOC 1).
A SOC 1 report gives your company’s user entities some assurance that their financial information is being handled safely and securely. SOC 1 reports come in two flavors: Type 1 and Type 2. A Type 1 report shows that your company’s internal financial controls are properly designed while a Type 2 report demonstrates that your controls operate effectively over a period of time (e.g., over a 12-month period).
Then in 2009, AICPA introduced SOC 2 as an audit report with a strict security focus and issued the five Trust Services Principles. These principles were defined as “a set of professional attestation and advisory services based on a core set of principles and criteria that address the risks and opportunities of IT-enabled system and privacy programs.”
SOC 1 differs from SOC 2, which can be summarized as follows:
|What is it?
|Assess and report on a service organization’s internal controls’ impact on customers’ financial statements
|Assess and report on a service organization’s internal controls regarding the security, availability, processing integrity, confidentiality, and/or privacy of customer data (i.e., the “Trust Services Principles”)
|What's the scope?
|The processing and protection of customer data, spanning both business and IT processes
|Any combination of the five Trust Services Principles
|Who uses it?
|Executive teams, external auditors
|Executive teams, sales teams, business partners, prospective customers, regulators, external auditors
|What's an example?
A company provides outsourced billing services for hospitals.
The hospitals that want to audit the security controls of the billing provider can be given a SOC 1 report as evidence.
A SaaS company provides a service of storing and protecting customer data.
Instead of having customers inspect the security measures and systems in place to protect their data, the SaaS company can just give customers a copy of the SOC 2 report that details the controls in place to protect their data.
Simply stated, the SOC 2 principles represent the criteria to be used to evaluate and report on an organization’s controls over the security, availability, processing integrity, confidentiality, or privacy of information and systems.
AICPA further stipulated that it was not necessary to address all the Trust Service Principles, and that an organization should select only those relevant to their own services.