From compliance automation through audit, the Thoropass compliance delivery platform helps you get and stay compliant.
Modern audits delivered by expert auditors
Maintain compliance with real-time monitoring and alerts
Identify vulnerabilities with CREST-accredited pentest experts
Leverage AI for smarter compliance solutions
Streamline audits and improve accuracy with evidence automation
Simplify user reviews to enhance security
Automate responses to security questionnaires
Track and mitigate security risks in one place
Build trust with a professional, public-facing portal
Seamlessly connect your tools for streamlined compliance
Audits done the modern way. Leverage AI-powered compliance solutions with expert guidance for seamless, scalable audits.
From controls to audit, rapidly achieve infosec compliance with a single vendor
Manage your risk and streamline compliance
Meet your auditor on day 1 and eliminate any surprises
Discover proven compliance outcomes in the words of our customers.
Catch up on the latest industry trends and expert insights
Watch the latest webinar or meet us in person
Expert-curated resources for your compliance journey
A "true crime" styled podcast for anyone in the compliance industry
Actionable tools for your compliance journey
Implement audit-ready compliance solutions for friction-free infosec compliance outcomes.
Go beyond readiness with unmatched expertise
Stay updated with the latest Thoropass news and insights
Join the team that's reimagining compliance
Let's make compliance easier—together
We're committed to unbiased audits and superior service
Defined by the AICPA as the first part of the Service Organization Control series, SOC 1 addresses internal controls around financial reporting. SOC 1, 2, and 3 all follow the Statement on Standards for Attestation Engagements (SSAE 18).
While less applicable than its second and third counterparts, SOC 1 applies to businesses (known as service organizations) that directly interact with financial information for customers or business partners, emphasizing the importance of protecting the financial data of both these groups.
SOC 1 compliance secures a service organization’s interaction, transmission, or storage of users’ financial statements. By focusing on the effectiveness of a service organization’s internal control, SOC 1 reports play a crucial role in evaluating internal controls over financial reporting, particularly in assessing control objectives and the effectiveness of internal controls in ensuring logical and physical access to programs, data, and computer resources.
This helps service organizations build customer trust and reduce the risk of fraud or financial misstatements. Specifically, a SOC 1 report aids management, investors, auditors, and customers in evaluating internal controls over financial reporting within guidelines laid out by the AICPA.
As with most information security frameworks, SOC 1 compliance becomes important to your business when a prospect or customer asks to see your report. This will likely happen if you manage financial data or handle financial reporting for users, like payroll, stock options, retirement plans, and more.
Protecting client data is crucial in this context, as it involves accessing and safeguarding the financial information and statements of customers, which directly impacts the evaluation of internal controls over financial reporting and assures publicly traded clients about the security of their data.
Often, larger enterprises require their vendors to be compliant for the enterprise to pass their own audits. Similarly, you may need to ensure that your vendors are compliant if they are exposed to any user financial reports.
While SOC 1 reports focus on financial reporting and an organization’s internal controls, SOC 2 reports evaluate the effectiveness of a company’s security, confidentiality, and privacy controls.
SOC 2 reports are more relevant for organizations that process sensitive or confidential data, such as HealthTech companies or financial institutions. SOC 2 reports can also help organizations demonstrate compliance with HIPAA, GDPR, or PCI DSS regulations.
At a crossroads? Decipher if SOC 2 or SOC 1 is the next chapter in your compliance story.
Like other SOC frameworks, getting compliant with SOC 1 involves scoping the program and a gap analysis of existing and missing controls, including both IT general controls and business process controls. These controls are essential for demonstrating reasonable assurance with the control objectives in a SOC 1 report. Any missing controls, particularly business process controls alongside IT general controls, should be implemented, a risk assessment needs to be executed, and finally, an official audit by a licensed public accountant.
Unlike other SOC frameworks, first, you’ll need to choose an auditor. The auditor helps identify control objectives and supporting control activities based on your system and the maturity of your product. Typically, there are three categories for control objectives. The same firm that identified appropriate controls can audit your control objectives and control activities.
The SOC 1 compliance process looks like this:
To become SOC 1 compliant, service organizations must follow specific control objectives and control activities outlined in the AICPA’s SOC 1 framework. The control objective statement plays a crucial role in defining the aim of controls within this framework, focusing on addressing the risks that controls are intended to mitigate and ensuring that controls support the objectives within a given process.
The framework outlines five categories of objectives for internal controls that a service organization must address: control environment, risk assessment, control activities, information and communication, and monitoring.
Within those control categories are internal controls themselves. These include access controls, change management, backup and recovery, and disaster recovery planning. Ensuring the operating effectiveness of these controls over time is essential for maintaining SOC 1 compliance.
The control environment objective evaluates the service organization’s overall control environment, including the tone at the top, the organization’s integrity and ethical values, and the commitment to competence. The control environment provides the foundation for all other control objectives.
The risk assessment objective evaluates the service organization’s processes for identifying and assessing the risks that could affect the reliability of financial reporting. This includes evaluating the design and implementation of internal controls to mitigate identified risks.
The control activities objective evaluates the specific control activities in place to prevent or detect financial misstatements. Control activities can include policies and procedures related to access controls, segregation of duties, and monitoring and reporting of financial transactions.
The information and communication objective evaluates the accuracy, completeness, and timely reporting of financial information. This includes an evaluation of the service organization’s systems for capturing, processing, and reporting financial information.
The monitoring objective evaluates the service organization’s ongoing monitoring of its controls to ensure their effectiveness over time. This includes an evaluation of the service organization’s processes for identifying control deficiencies and taking corrective action when necessary.
Where applicable, Thoropass standardizes control objectives and control activities across multiple frameworks. That means that we try to borrow the best control objectives from SOC 2 to fulfill control objectives for SOC 1. This helps save time, avoid confusion, and get your organization closer to full compliance in one swoop.
SOC 1 attestation focuses on evaluating and reporting on the effectiveness of an organization’s internal controls and specifically, a service organization’s internal controls over financial reporting. This type of attestation can only be performed by independent, third-party auditors who meet specific qualifications outlined by the AICPA.
These auditors must have the appropriate experience and training to assess the effectiveness of a service organization’s internal controls, ensuring they are designed and operating effectively to achieve the objectives related to financial reporting. It’s crucial to select a reputable auditor with experience in your industry and the type of service you provide, as they play a key role in evaluating these controls and providing assurance to clients and auditors regarding their effectiveness.
Businesses pursuing SOC 1 compliance typically start with a Type 1 report. Type 1 reports examine the design of your compliance program at a certain point in time. This includes any policies you have in place to protect your data, information security procedures, and any additional evidence that your compliance program is functional.
SOC 1 Type 2 reports examine the security of your financial controls over a specified period of time, typically 9-12 months. The report includes an evaluation of the controls and corresponding evidence. It needs an annual re-evaluation to maintain compliance.
SOC 1 frameworks must be audited by a certified public accountant from a third-party entity. While we recommend an experienced SOC auditor examining your compliance program, you can leverage any CPA.
The timeframe for an audit is dependent on the size of your organization and the scope of the program. Type 2 must be evaluated over a period of time to determine control effectiveness. You’ll need at least 6 months of evidence after implementation to get your Type 2.
Depending on your business, you may end up pursuing SOC 1 and SOC 2 compliance. Learn more about the difference between the two here.
Note: This blog post was originally published in March 2023 but was reviewed and updated by internal SMEs on May 10, 2024
SOC 2 Guide
This guide will equip you with the knowledge required to achieve SOC 2 attestation as well as help you build the right game plan for your organization including selecting the best SOC 2 compliance software
Oro provides content designed to educate and help audiences on their compliance journey.
SOC (Service Organization Controls) reports are independent evaluations that give you valuable insights into a service provider’s infrastructure, risks, and the effectiveness of their controls. They are essential tools that help service organizations gain customers’ trust.
With SOC reporting, service organizations can demonstrate their commitment to maintaining a secure and reliable system.
In this post, we’ll dive into the world of SOC reports and learn how to choose the right one for your organization.
When it comes to SOC reports, there are three main types to consider:
There are also Type I and Type II reports, which we’ll cover further down. Each type serves different purposes and focuses on different aspects of the organizations involved in an organization’s operations.
A typical SOC report covers the following areas:
Let’s delve further into the distinct characteristics of each type of SOC report.
If your organization provides financial reporting services, then SOC 1 reports are crucial. These reports assess internal controls related to financial reporting, which can impact user entities’ financial statements. For instance, if you’re using a payroll provider, reviewing their SOC 1 reports ensures that the controls they have in place for processing payroll are effective.
SOC 1 hones in on internal controls that impact customer financial reporting and is tested based on objectives the auditor and the business agree to. These control objectives are based on the organization’s determination and cover business processes and IT systems affecting the user entity’s financial statements. For example, how effective are auditors in evaluating tax and financial statements?
The main focus of a SOC 1 report is Internal Control over Financial Reporting (ICFR), with control objectives related to both IT general controls (ITGCs) and business processes at the service organization.
These reports are most relevant when the organization’s services directly affect its clients’ financial reporting. SOC 1 reports are commonly used by organizations that process financial data and provide services like payroll processing, financial transaction processing, or other functions related to financial reporting.
The service auditor’s role in a SOC 1 report is to review any risks from the audited business that could affect the internal controls clients have in place. Moreover, SOC 1 reports are relevant for SOX, PCI, GDPR, and ISO 27001 compliance programs.
SOC 2, which stands for “Service Organization Control 2,” is another type of audit report issued under the Statement on Standards for Attestation Engagements (SSAE) No. 18 standard.
SOC 2 addresses a service organization’s controls relevant to its operations and compliance, as outlined by the AICPA’s Trust Services Criteria. The audit determines if they are securely managing 3rd party data to protect and ensure privacy, as well as making sure that internal operations and governance within the organization meet set standards. SOC 2 uses the COSO framework to test your internal controls against five Trust Services Criteria:
SOC 2 type reports are relevant when the services provided are not directly tied to clients’ financial reporting but involve the handling of sensitive data or critical functions. SOC 2 reports are often used by SaaS providers, cloud service providers, and other organizations that deal with customer data or provide technology-related services. However, it is worth noting that a company operating on-premise or in a co-location and/or data center may also need a SOC 2.
If you’re looking for a more accessible, public-facing report, the SOC 3 report is your go-to option. It’s a general-use report that provides information about a service organization’s internal controls for:
The key difference between SOC 3 and SOC 2 reports is that SOC 3 reports don’t include the detailed controls tested, and the results of those tests, making them suitable for a wider audience. However, you must complete a SOC 2 Type 2 report in order to have a SOC 3.
With this short quiz, understand how your unique business variables and objectives inform which compliance framework is right for your business.
In addition to the main SOC reports, there are also specialized SOC reports. For example, the SOC for Cybersecurity report and the SOC for Supply Chain report.
The SOC for Cybersecurity report is an evaluation of an organization’s cybersecurity risk management program. By assessing how effective an organization’s internal controls are, this report can showcase an organization’s commitment to cybersecurity and provide assurance to stakeholders.
Companies may request a SOC for Cybersecurity report from their vendors to ensure their cybersecurity measures are up to par. Moreover, a SOC for Cybersecurity report can help identify and address cybersecurity risk management program gaps.
The SOC for Supply Chain report addresses operational risks faced by companies dealing with physical products, such as producers, manufacturers, and distributors. Meeting the custom criteria of the SOC for Supply Chain report allows organizations and their customers to have more confidence in the risk management within their production and distribution system.
High level: Type 1 reports concentrate on the design of controls, while Type 2 reports test the operational effectiveness of controls over a defined period.
Type 1 reports provide a snapshot of an organization’s controls at a specific point in time. These reports assess the design of controls, offering a quick overview of the controls in place but not evaluating their effectiveness over a period of time. In other words, Type I reports give you a glimpse of the controls’ design but don’t delve into their long-term performance.
Type 2 reports, on the other hand, offer greater assurance by evaluating the effectiveness of controls over a defined period, typically six months to a year. These reports not only assess the design of controls but also test their operational effectiveness, providing a more comprehensive examination of an organization’s controls.
A Type 2 report is the way to go for organizations seeking more robust assurance.
Selecting the right SOC report for your organization involves analyzing your organization’s specific requirements and ensuring alignment with industry standards and regulations.
To determine which SOC report is right for you, consider the following:
It is critical to verify its compliance with the standards and regulations of the relevant industry. For example, if you’re in the financial services industry, you should consider regulations such as SOX, PCI DSS, and GDPR when choosing a SOC report. By aligning your chosen SOC report with industry standards and regulations, you’ll be better equipped to demonstrate your organization’s commitment to security and compliance.
Preparation for a SOC audit includes:
A SOC readiness assessment is a crucial first step in preparing for a SOC audit. This process involves evaluating your organization’s current controls, reviewing the trust services criteria, and performing a gap analysis to identify any deficiencies or gaps.
Ensuring that all necessary documentation is in order is vital to preparing for a SOC audit. This includes:
Choosing an auditor for your SOC audit is vital in guaranteeing a detailed report and achieving a successful outcome. When choosing an auditor, consider factors such as:
SOC reports play a critical role in assessing the controls and procedures of service organizations. It’s essential to choose the right report for your organization based on its specific needs and industry requirements.
By preparing for a SOC audit through readiness assessments, gathering documentation, and selecting the right auditor, you can ensure a comprehensive and successful SOC report. Remember, trust is everything in today’s digital world, and a robust SOC report can help you build that trust with your customers.
Need help with SOC 1 or SOC 2? Thoropass can help manage your SOC 1 or SOC 2 compliance journey. Hit the ground running with expert-curated templates for policies and procedures. Controls are built with auditors in mind, so you can confidently go to an audit. When the time comes, your audit will be completed by our in-house auditors all within the Thoropass platform reducing manual and duplicative work.
Get the guide
How do you use your SOC 2 report to unlock growth for your company, accelerate deals and open new markets? Read this guide to find out.
