SOC 1 reports, under the AICPA (American Institute of CPAs) SSAE 16 guidance are designed to provide external parties, such as partners and customers assurance that a company’s internal controls over financial reporting are appropriate and operating effectively. SOC 1 reports replaced the SAS 70 standard. SOC 1 reports are a great way to gain confidence that you’re doing all of the right things. This can help your customers gain trust in you as a service provider.
We have seen from experience that many enterprise companies will not do business with smaller companies or startups that have not completed a SOC 1 or SOC 2 report. Too many small companies “fly by the seat of their pants” and lack the necessary security controls to protect their information. As mentioned above, SOC 1 reports are traditionally reserved for testing controls relevant to the financial reporting process. If your company is not processing financial transactions, or used in the chain of financial system processing, a SOC 2 report may be a better fit for you.
The SOC 1 Type I is the first report issue issued in when you’re a company providing services that impacts your customer’s financial reporting. The Type I report merely provides a description of your company, the internal control environment, references to your policies and procedures, and an opinion on the suitability and design of the controls in place at the point in time the report was issued. While a SOC 1 Type I is better than no report at all, it provides very little value to your customers/partners because it does not provide an opinion on whether you’re actually following your own policies and procedures. Type I reports are usually just a stepping stone to the much stronger SOC 1 Type II.
The SOC 1 Type II is typically the second report issued and is much more valuable external parties because it reports on the effectiveness of the controls in your organization. Are you doing what you said you’re doing? Do the policies match the actual operation of your company? Per AICPA guidance, the report must cover a period of time of at least 6 months. The means Type II reports can’t be created in a short period of time. Typically the Type II audit review is scheduled 6-months after issuance of the SOC 1 report. After a SOC 1 Type II report is issued, it is generally renewed on an annual basis.
Let us help you find out what compliance framework is best for your business.
Learn how SOC 1 reports can help businesses with services that impact financial reporting meet the needs of customers and partners.
Learn how SOC 2 reports differ from SOC 1 and are best-suited for companies providing information services such as SaaS and cloud companies.
Learn how HIPAA no longer impacts just healthcare companies. If your company stores any health data (even on behalf of a customer), you're liable.