Jun 27, 22 1:53 pm

Was this post helpful?

What is a SOC 2 Report and Why Are Your Clients Asking For It?

Jun 27, 2022
| by:
Martin Cozzi

This article is an edited version of its original available here. This article is most valuable to SaaS companies looking to improve their understanding of compliance in general, as well as understanding the value and usefulness of SOC 2 report audits.

Audit types

Before diving into the SOC framework, it is important to understand the three different types of audit your company can perform:

  • Internal: Ran internally by your team, it is put in place to measure and control internal standards and processes.
  • External second: Ran by another company such as a client to ensure that your company is meeting the requirements specified in the contract.
  • External Third-Party: Ran by an independent auditing company to validate that your company is conforming to a set of standards, such as the SOC standards.

Third party audits allow you to distribute a report as well as display a logo on your website, proving to your existing and potential clients that you have been audited and have passed said industry standards.

Understanding SOC 1 vs SOC 2, Type 1 vs Type 2

"The SOC standard is updated regularly to adjust to the fast-moving industry."

Who is in charge?

The American Institute of CPAs (AICPA) is in charge of designing and maintaining the SOC framework. It is updated regularly to adjust to the fast-moving industry.

The SOC framework

SOC, which stands for Service Organization Control, is a reporting framework. The reports compiled by the auditing company are the ones you will be distributing to your clients and are the result of auditing standards followed by the auditors.

Difference between SOC 1 and SOC 2 Report

Both SOC 1 and SOC 2 audits exist to validate the controls in place at your company and let your clients know that you are following industry standards.

SOC 1 is used to audit the controls relevant to your company’s finances.

SOC 2 is used to audit the controls relevant to the security, availability, or processing integrity of either a system you are running, or the information the system processes.

Difference between Type 1 and Type 2

Both SOC 1 and SOC 2 exist in two flavors:

Type 1: A point in time audit, during which auditors evaluate and report on the design of controls your company put into place as of a point in time. This is a great way to show good faith to your customers.

"This is how you show your clients and customers that you are continuously following industry standards."

Type 2: Happens over a period of time. This type of audit follows a Type-1 audit and is what larger prospects will be after. Auditors usually recommend a 6 months period for the first audit, and a 12 months period for consequent audits. It is important to note that there are no requirements or standards for the audit duration other than a 3 months minimum period.

At the end of the period, auditors will review the controls you put in place during the Type-1 audit, except this time auditors will ask for historical data. This is how you show your clients and customers that you are continuously following industry standards.

As an example, let’s assume that you have a procedure in place to revoke access to a terminated employee:

- During a Type 1 audit, auditors will review this policy and make sure it conforms to the SOC 2 reporting standard.

-During a Type 2 audit, the auditors will ask you for a list of all employees who left during the Type 2 Period months period and will be looking at proof that you followed the policy in place. This also includes performing a penetration test.

chart of soc1 and soc2 differences

Difference between SOC 1 and SOC 2

Do I need a SOC 2 report?

If your company offers a SaaS solution, a SOC 2 report will prove to your clients that you are handling their data safely by following trusted industry standards. It will make the difference between you and your competitors. Starting with a SOC 2 Type 1 report is a great first step to understanding the technicalities of the audit before moving to the SOC 2 Type 2 cycle.


Was this post helpful?

About the Author

Share This Post

Leave a Reply

Your email address will not be published.

Related Post

Mar 8, 2023 by Alex Hewko

How Penetration Testing Increases Your ROI of ISO 27001 Compliance

Read more

Was this post helpful?

title text header with tech background image
Nov 14, 2022 by Omkar Hiremath

NIST SP 800-115 and Penetration Testing

Read more

Was this post helpful?

title text with article background
Sep 12, 2022 by Omkar Hiremath

Basics of Patch Management Policies

Read more

Was this post helpful?


301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4

Designed by WP Expert
© 2023
Software Secured