SOC Reports

Now let’s discuss SOC reports. It’s crucial to note that there is a SOC 1 report and a SOC 2 report. Each SOC report can either be type I or type II. That means a SOC 1 report could be either type I or type II, and similarly, a SOC 2 report could be type I or type II.

To understand what that means and why we need SOC reports at all, let’s start with the purpose of a SOC report. A SOC report is a document that allows us to rely on the test work that has already been carried out by another auditor.

Consider a situation where we’re hired to audit a pizza company. The pizza company doesn’t process its payroll internally; instead, it outsources payroll to a large payroll company like ADP. ADP informs the company of its annual payroll expense. When auditing the pizza company, we’ll need to examine the payroll expense. But we can’t audit ADP directly.

What happens instead is that ADP has its controls audited by an external auditor, who provides them with a SOC report. Any company that relies on ADP for outsourced payroll can then use the SOC report, avoiding the need to duplicate work.

Now let’s differentiate between a SOC 1 report and a SOC 2 report. The distinction depends on the type of information being audited. A SOC 1 report aims to demonstrate that the controls are operating correctly to prevent any adverse impact on the financial statements. It’s about how the controls affect the numbers. The example of outsourcing payroll to ADP would require a SOC one report as it shows how ADP’s processes affect the pizza company’s payroll expense.

A SOC 2 report, on the other hand, concerns how the controls affect customer data. It ensures that controls are correctly protecting customer data. A credit card company that needs to verify its protection of customer data would require a SOC 2 report.

Study Tip: A SOC 1 report focuses on the financial statements. A SOC 2 report focuses on customer data.

Now let’s talk about type I and type II. Each SOC report can either be type I or type II. A type I SOC report is management’s description of internal controls as of a specific date and does not test internal controls for their operating effectiveness.

A type II SOC report, on the other hand, tests the controls for their operating effectiveness and tests them over an entire period (i.e., January 1 – December 31). A type II report is more reliable than a type I report because it actually tests controls over a full period rather than on a specific date. When relying on a SOC report, a type II report offers much more assurance than a type I report.

Study Tip: A type II report is more reliable than a type I report.