Let's get on each others' calendars.

SOC 1 vs SOC 2:

How to Win Over Your Dream Clients

Trust. It’s something that is hard to measure and, in business, it’s vital to securing larger clients and bigger deals.

Your clients need to be able to trust your services and their security. They need to have proof beyond just your word that everything will run well.

This is where you need to know how to tell SOC 1 vs SOC 2.

It might sound like jargon, but knowing what each of these audits is, how they differ, why they’re useful, and when you might need to have them carried out is the key to not being another statistic in next year’s data breach summary, and to giving your clients the confidence they need to commit.

To that end, this post will cover:

  • What are the SOC audits?
  • SOC 1 vs SOC 2
  • How to know which audit you need
  • Benefits and drawbacks of SOC 1 vs SOC 2

Let’s get started.

What are the SOC audits?

Source, image used under Pexels license

SOC (Service Organization Controls) 1, 2, and 3 are all audits designed to assess different parts of your company in a way that is totally objective. This means that there’s no room for the results to be colored by internal biases, so your clients know for sure that the assessment is fair.

To be valid, all SOC audits must be carried out by a Certified Public Accountant (CPA) accredited by the American Institute of Certified Public Accountants (AICPA). This is what lets clients know without any extra evidence that the results are trustworthy, as the accountant has no ties to you or your company, and so there is no risk of rules being waived or your reputation giving you leniency.

Once you have your audits carried out you can enjoy a wealth of benefits from increasing your company’s net worth through handling more valuable clients to increasing the security of the financial data you handle. It’s well worth getting certified, but their prohibitive cost (in time and money) means that you don’t want to try and do so too early when the benefit will be small.

There’s one main problem with all SOC audits; it’s not always obvious which one you need, or whether your clients require you to have them. We’ll cover the benefits and drawbacks of these audits in more detail later, but for now note that they have the potential to be incredibly confusing, time-consuming, and expensive, but also profitable.

For example, while there are 3 different SOC audits on paper, there are really only 2 in practice.

SOC 3 fulfills the exact same function as SOC 2 except the results are made public (and are thus sanitized to prevent leaking sensitive information). However, SOC 1 and 2 are very different beasts.

SOC 1 vs SOC 2

Source, image used under Pexels license

The easiest way to summarize the differences of SOC 1 vs SOC 2 is that SOC 1 is a measure of how secure your dealings with your client’s financial data are, whereas SOC 2 is a more general assessment of your operations relating to your data as a whole.

There are a few nuances, but it’s easy to see why so many mix them up. They are both performed by the same type of person (an accredited accountant with the previously mentioned specifications), and they both deal with how your company handles its data.

So, let’s take this step-by-step to eliminate any confusion.

SOC 1: Measuring the security of your client’s financial data

SOC 1 is an assessment carried out by an independent, accredited accountant with the aim to judge how effective your security measures are when it comes to dealing with client financial information, and data that could affect their financials in general.

SOC 1 is carried out according to The Statement on Standards for Attestation Engagements No.18 (SSAE 18). This means that your clients can see that you’re SOC 1 certified and immediately know that you’ve met these international standards for security with their financial information.

That’s all there is to it!

SOC audits come with a lot of legalese which covers much of the specifics of what they look at, how they assess it, and so on. This is also why they can be so difficult to understand if you’re not already experienced with them. However, all you need to know about SOC 1 is that it gives your clients peace of mind when wondering whether they can afford to trust you with any information which could affect their financial reporting.

SOC 2: A general assessment of your handling of client data

Source by Sohanhosen01, image used under license CC BY-SA 4.0

SOC 2 takes a much broader scope. While still carried out by independent accountants, SOC 2 focuses on your operations as a whole in relation to five core “trust service principles”:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

These categories don’t just look at your technical specifications such as what security measures and software you have in place - your team is under just as much scrutiny as your wider organization. If there’s anything to be found in terms of potential security weaknesses, issues with confidentiality, sharing information with team members who shouldn’t have access, and so on, SOC 2 will flag and consider it in relation to the final report.

Speaking of security, it’s worth noting that SOC 2 audits also look at your vendors to make sure that they’re SOC 2 compliant. This is because having rigorous security measures will do no good if your data is being accessed through the security weaknesses of your vendors.

This doesn’t mean that all of your vendors have to be compliant. Only those who interact with your data (and any who handle the data of your clients) must also have the certification in order for your own organization to be eligible for it.

To sum it up in less than 1,000 words, SOC 2 makes sure that everything is secured against unauthorized access, your services and the client’s data are consistently and easily available to both parties, everything performs as it is intended to, client and internal data is appropriately confidential, and that you’re transparent about how you handle, retain, and dispose of client data. Your data handling, retention, and disposal practices must also be good enough to meet the SOC 2 standards, which will at least require you to meet AICPA’s Privacy Management Framework (PMF).

SOC 1 vs SOC 2

Source by Pictures of Money, image used under license CC BY 2.0

The main difference between SOC 1 and SOC 2 is the focus of their audits. SOC 1 is only concerned with how you interact with, handle, and secure your client’s financial information. SOC 2 is, as we’ve covered above, a much wider view of the security of your (and your client’s) data.

Yet that difference doesn’t always extend to their price.

There are a huge number of factors that influence the cost of both SOC audits, including the complexity of your systems and IT, the size of your company, your location, the number of objectives of the report, and the presence (and number) of any cloud infrastructure. All of these factors also play a role in the mandatory readiness assessments which you also have to go through before you can even have the SOC audit performed.

Knowing this, it’s almost impossible to predict what each audit will cost you precisely.

However, at a general level, the cost of SOC 1 and SOC 2 audits fall into similar price brackets, with SOC 2 being only slightly more expensive.

Schellman has run the numbers and estimates that the following costs are a good baseline to go with:

  • SOC 1 Readiness: $15,000 - $21,000
  • SOC 1 Type I: $23,000 - $35,000
  • SOC 1 Type II: $29,000 - $44,000
  • SOC 2 Readiness: $18,000 - $25,000
  • SOC 2 Type I: $25,000 - $39,000
  • SOC 2 Types II: $30,000 - $55,000

As you can see, neither SOC 1 nor SOC 2 are cheap to have carried out, hence why they’re best to do only when you’re at a size where you need them to expand. Once you’re at that stage the difference of a thousand dollars or so shouldn’t be a deal breaker, so their price is fairly compatible.

These differences aren’t difficult to wrap your head around by themselves. However, combine that with the different types of SOC audit (more on those below) and the general confusion many clients have as to which audit they require you to be compliant with, and things start to get messy.

So let’s cover how to know which audit you’ll need.

How to know which audit you need

Source, image used under Pexels license

To know which audit you’ll need to carry out (if any) you first need to understand that there are actually two different types of both SOC 1 and SOC 2 audits. These are helpfully named Type I and Type II assessments.

Type I audits function as a snapshot of a specific point in time. They serve to show whether you were compliant at and only at the exact time the audit was carried out.

Type II audits are carried out over a set period of time, usually six months to a year. Your company will be assessed against the SOC regulations and guidelines during the entirety of that time, hence why they’re a lot more expensive to carry out. Type II reports thus show that your company is not only compliant but consistently so, making them a better general show of your quality to your clients.

Basically, if you only need to show that you’ve been certified at a certain point in time, Type I will cover that. Type II reports will stay relevant for longer and show that you’re more reliable in your compliance with SOC standards. Remember that you can have Type I and Type II audits for both SOC 1 and SOC 2, so this should also factor into your consideration of what audit to have carried out.

SOC 1 audits are required by more compliance frameworks such as HIPAA and PCI-DSS, so you need to check if any that you need to keep up with also require it. If so, you’ll need to have a SOC 1 audit performed. The same is true if your services impact client financial reporting in any way, as your security in handling their data needs to be assured to avoid unnecessary risk.

SOC 2 isn’t required by any compliance frameworks, so you don’t technically need to have it done. However, it’s common practice for any company that handles sensitive client data (not necessarily financial data) to have it performed to assure customers that their data is safe.

For example, many SaaS companies, cloud service providers, and any organizations that use the cloud to store client data will have a SOC 2 audit carried out in order to prove to larger clients that they can be trusted to securely do business with them. When you’re still small there’s little sense in spending $50,000 or more on an audit that isn’t necessary, but it can work wonders for expanding your audience once you start to target more enterprise-level clients.

Remember too that having a SOC 1 audit performed doesn’t mean that you don’t need a SOC 2 too, and vice versa. It all depends on whether your business means that you’re required to have a SOC 1 assessment, and how much benefit you’d see from a SOC 2 one.

Benefits and drawbacks of SOC 1 vs SOC 2

We’ve covered what the differences of SOC 1 vs SOC 2 are, and when you’ll want to think about having one, both, or neither. Now let’s round out by covering the pros and cons of having them performed.

This is easier than trying to understand whether you might need them, as the benefits and drawbacks are all but identical for SOC 1 and SOC 2. These are:

  • You could see an increase in profits
  • Some clients will require compliance
  • They’re expensive to carry out
  • You might not need them (and could get the wrong one)

The increase in profits could come from opening yourself up to bigger and more profitable clients, who are usually the ones that will require SOC 1 or 2 compliance before they can agree to use your services. It’s a great way to maintain a steady and healthy growth rate without having to massively expand your team or upend your operations (if you’re already running things how they should be).

However, SOC 1 and SOC 2 alike are expensive to carry out, especially if you’re required or aiming to have a Type II assessment. Even the readiness assessments cost around $20,000 on average, which isn’t exactly pocket change for a startup. This makes them impossible to justify unless your company is already succeeding on some level - they’re not a magic pill that can save a business which is on rocky ground.

Plus, you might not actually need them, leaving you with a hole in your wallet and no real benefits to reap.

Remember that your clients won’t always know what they do and don’t require you to have by law, and even if they’re correct in needing a SOC audit, there’s no guarantee that the one they say you need is the one you actually need. What’s to say they didn’t get a SOC 1 Type II requirement mixed up with a SOC 2 Type I?

In other words, no matter what audit you think you need, it’s always best to remain cautious and thoroughly investigate before committing to either audit. The benefits can be huge, but don’t let that allure lead you to waste the better part of $100,000 in pursuit of it.

SaaS Finances 101