SOC 1 vs SOC 2: Which Report Do You Actually Need?

Overview

The SOC (System and Organisation Controls) report family includes SOC 1, SOC 2, and SOC 3. All are issued by AICPA-licensed CPA firms, but they cover fundamentally different subject matter. Confusing SOC 1 with SOC 2 in a customer conversation can create unnecessary work — or a delayed deal.

SOC 1 Explained

SOC 1 (Statement on Standards for Attestation Engagements No. 18, or SSAE 18) reports on controls at a service organisation that are relevant to user entities' internal control over financial reporting (ICFR). Specifically, it addresses: do the service organisation's controls prevent material misstatements in the financial statements of its customers?

SOC 1 Type I: controls are suitably designed at a point in time. SOC 1 Type II: controls operated effectively over a period (same Type I/II structure as SOC 2). The report is used by customer auditors (financial statement auditors) during their ICFR assessments.

SOC 2 Explained

SOC 2 reports on controls related to Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. It addresses: does the service organisation have adequate controls to protect customer data and systems?

SOC 2 is requested by IT security teams, procurement, and compliance functions — not by financial statement auditors. The audience and purpose is entirely different from SOC 1.

Key Differences

Purpose: SOC 1 is for financial auditors evaluating ICFR risk from service organisations. SOC 2 is for security teams evaluating data security and operational risk.

Governing standard: SOC 1 is governed by SSAE 18 (AT-C Section 320). SOC 2 is governed by AT-C Section 205. Both require AICPA-licensed CPA auditors.

Scope: SOC 1 scope is determined by which of the service organisation's controls affect customer financial reporting. SOC 2 scope is determined by which systems and processes are in scope for the Trust Services Criteria.

Who Needs Which Report?

You need SOC 1 if: your service directly affects how customers record financial transactions, process payroll, manage accounts payable/receivable, or otherwise impacts customer financial statements. Examples: payroll processors (ADP, Gusto), accounting SaaS (Xero, QuickBooks), ERP systems, POS processors, loan origination systems.

You need SOC 2 if: you provide a SaaS service where customers are concerned about data security, availability, and confidentiality. This covers the vast majority of B2B SaaS — HR platforms, project management tools, CRMs, analytics platforms, developer tools, security tools.

The quick test: would your service failure or error cause your customer's financial statements to be materially misstated? If yes, you likely need SOC 1. If the concern is data security and system availability, you need SOC 2.

When You Need Both

Some service organisations need both SOC 1 and SOC 2. A payroll processor, for example, affects financial reporting (SOC 1 needed) and stores sensitive employee personal data (SOC 2 needed). The two reports have different scope and different auditors may work on each, though many firms conduct both engagements together.

Fintech companies processing payments, billing platforms, and revenue recognition SaaS are common examples of companies that receive requests for both reports from their enterprise customers.

Common Mistakes

Mistake 1: Assuming all SOC reports are the same. When a customer procurement team asks for a "SOC report," clarify whether they want SOC 1 or SOC 2 before engaging an auditor.

Mistake 2: Getting SOC 1 when SOC 2 is what your customers need. A developer tools company getting SOC 1 because someone misread a procurement request — and then needing to redo the engagement for SOC 2 — wastes $20,000+ in audit fees.

Mistake 3: Thinking SOC 2 is sufficient when customers specifically need SOC 1 for ICFR audits. If a Big 4 financial auditor is requesting the report, they almost certainly need SOC 1.