“So which audit do we need, a SOC 1 or a SOC 2” is a very common question fielded from Denver businesses, and rightfully so as there’s general confusion and misguidance on SOC 1 vs. SOC 2. For purposes of simplicity, SOC 1 assessments – which utilize the SSAE 18 professional standard – are for companies that display a true nexus to the concept known as Internal Controls over Financial Reporting – ICFR – think banks, actuarial businesses, trust departments, and others.
Moreover, services performed by service organizations can often impact the financial reporting for their clients, thus furthering the need for SOC 1 reporting. As for SOC 2, it’s geared towards technology driven companies, such as managed services providers, ISPs, Software as a Service (SaaS) entities, and more. There’s clear differences between SOC 1 and SOC 2, and you need to be aware of them.