SOC 1, SOC 2, SOC 3, Audit And Attestation Reports

What is the difference between SOC 1 and SOC 2?
A SOC 1 Audit is focused on the internal controls related to financial reporting (ICFR). While a SOC 2 Audit is focused on information and IT security based on 5 Trust Services Principles namely Security, Confidentiality, Privacy, Processing Integrity, and Availability.


What is a SOC 1 Type 1 report and SOC1 Type 2 report?
A SOC 1 Type 1 report is an attestation of controls at a service organization at a specific point in time. Whereas a SOC 1 Type 2, report is an attestation of controls at a service organization over a minimum period- usually six months but can be as short as 3 months.


What is a SOC 2 Type 1 report and SOC 2 Type 2 report?
A SOC 2 Type 1 report details the suitability of the design controls of the service organization’s system. It details the system at a point in time particularly its scope, the management of the organization describing the system, and the controls in place. A SOC 2 Type 2 report is an internal controls report detailing the effectiveness of security controls and its operations that safeguards customer data over a period of time – referred to as the “reporting period.”


What is a SOC 3 report?
The SOC 3 report is a public report of internal controls of a service organization, based on the 5 TSP Security, Availability, Processing Integrity, Privacy, and Confidentiality. It details the same information as in the SOC 2 Report but is designed in a way to provide assurance of attestation but not reveal proprietary information.


Are SOC 1 Audit Report, SOC 2 Audit Report, or SOC 3 Report publically available?
SOC 1 reports and SOC 2 reports are not public or general use documents. They are for the internal use of service organization and limited in their distribution. However, the SOC 3 report can be made available to the public for providing the stakeholder the assurance about the service organizations internal controls.