SOC Reporting Explained

SOC 1 vs SOC 2 Which Report Does Your Business Actually Need?

SOC 1 and SOC 2 are both independent audit reports issued under AICPA attestation standards, but they answer two very different questions. A SOC 1 report examines the controls at a service organization that could affect a customer's financial reporting, while a SOC 2 report examines how that organization protects the systems and data itself against the Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Petronella Technology Group helps service organizations figure out which report their customers are really asking for, close the control gaps that would show up as exceptions, and walk into the audit with evidence already assembled - guided by a compliance practice that has secured regulated businesses since April 2002.

Securing Regulated Businesses Since 2002 | CyberAB RPO #1449 | BBB A+ Rated Since 2003
The Short Answer

What Is the Difference Between SOC 1 and SOC 2?

The difference between SOC 1 and SOC 2 comes down to what the auditor is examining. A SOC 1 report covers controls that are relevant to your customers' internal control over financial reporting: if your service can change a number on a client's financial statements, SOC 1 is the report their auditors will request. A SOC 2 report covers controls relevant to the security and handling of the systems and data you manage for customers, measured against the AICPA Trust Services Criteria. Both reports come in Type 1 and Type 2 versions, both are issued by a licensed CPA firm, and many service organizations ultimately need one of each.

Key Takeaways

  • SOC 1 addresses controls that affect customers' financial reporting; SOC 2 addresses security, availability, processing integrity, confidentiality, and privacy.
  • Type 1 evaluates control design at a single point in time; Type 2 also tests operating effectiveness over a review period, typically 3 to 12 months.
  • Payroll processors, loan servicers, and claims administrators typically need SOC 1; SaaS platforms, data centers, and managed service providers typically need SOC 2.
  • The reports are not interchangeable: a SOC 2 will not satisfy a financial statement auditor asking for SOC 1 coverage, and vice versa.
  • Petronella Technology Group runs readiness ahead of the CPA firm's attestation: scoping, gap assessment, remediation, and evidence collection through the ComplianceArmor platform.

SOC 1

What a SOC 1 Report Covers

SOC 1 exists because your customers' financial statement auditors cannot see inside your operation without it.

A SOC 1 report, issued under the AICPA's attestation standards (SSAE 18), examines the controls at a service organization that are relevant to user entities' internal control over financial reporting, usually abbreviated ICFR. The logic is straightforward: when a company outsources a process that feeds its financial statements, such as payroll, medical claims processing, loan servicing, fund administration, or transaction settlement, that company's auditors still have to form an opinion on the numbers those processes produce. Rather than send every customer's audit team into your data center, the profession created a single mechanism: one independent CPA firm examines your controls once, and every customer's auditor relies on the resulting report.

Because of that purpose, the control objectives in a SOC 1 are defined by the service organization around the processing that matters financially: transaction authorization, completeness and accuracy of processing, reconciliation, and the IT general controls that sit underneath them, such as change management and logical access. A SOC 1 is a restricted-use report: it is intended for the management of the service organization, its user entities, and those user entities' financial statement auditors, not for general marketing distribution. If your sales team wants a report to hand prospects during security review, that is a job for SOC 2, not SOC 1.

SOC 2

What a SOC 2 Report Covers

SOC 2 answers the question every enterprise buyer now asks: can we trust you with our data?

A SOC 2 report examines a service organization's controls against the AICPA Trust Services Criteria. The Security criteria (also called the Common Criteria) are mandatory in every SOC 2 examination; the remaining four categories, Availability, Processing Integrity, Confidentiality, and Privacy, are included based on what you commit to customers and what your services actually touch. Where SOC 1 lets the service organization define control objectives around financial processing, SOC 2 measures everyone against the same published criteria, which is exactly why customers treat it as a comparable trust signal across vendors.

In practice, a SOC 2 examination looks at how you govern security, how you control access to systems and data, how you manage changes and vulnerabilities, how you monitor for and respond to incidents, and how you meet the uptime, integrity, confidentiality, and privacy commitments in your contracts. SaaS companies, cloud hosting providers, data centers, managed IT and security providers, and any vendor that stores or processes customer data are the natural audience. SOC 2 reports are also restricted-use documents, but they are routinely shared with customers and prospects under NDA during vendor security reviews, and a SOC 3 report (a general-use summary of a SOC 2 Type 2) can be published openly for marketing purposes. If you want the deeper walkthrough of the criteria themselves, our SOC 2 compliance services page breaks down each category in detail, and our SOC 2 compliance checklist maps the practical steps.


Side by Side

SOC 1 vs SOC 2: The Comparison Table

The two reports share a publisher (the AICPA), an issuer (a licensed CPA firm), and a Type 1 / Type 2 structure. Almost everything else differs.

FactorSOC 1SOC 2
Core questionCould your service affect customers' financial statements?Do you protect customer systems and data?
Focus of the examinationInternal control over financial reporting (ICFR)Trust Services Criteria: security, availability, processing integrity, confidentiality, privacy
Who defines the controlsService organization defines its own control objectivesAICPA criteria are fixed; you map your controls to them
Primary readersCustomer management and their financial statement auditorsCustomer security, risk, and vendor-management teams
Typical organizationsPayroll processors, loan servicers, claims administrators, fund administratorsSaaS platforms, data centers, MSPs and MSSPs, cloud-hosted services
Sales usefulnessLow: restricted to financial-audit useHigh: standard artifact in enterprise security reviews; SOC 3 summary can be public
Report variantsType 1 (design, point in time) and Type 2 (design plus operating effectiveness over a period)Type 1 and Type 2, same structure; SOC 3 general-use summary available
Can one replace the other?No. They examine different subject matter and satisfy different audiences.

A useful shorthand: SOC 1 protects your customers' auditors, SOC 2 protects your customers' data. If a request comes from a controller, CFO, or external audit firm during their financial statement audit, they mean SOC 1. If it comes from a CISO, security questionnaire, or procurement portal, they mean SOC 2.

Type 1 vs Type 2

Type 1 and Type 2: The Second Axis of Every SOC Report

People often say "SOC 1 vs SOC 2" when the real question is Type 1 vs Type 2. Both SOC 1 and SOC 2 come in both types, so a vendor can hold a SOC 1 Type 2, a SOC 2 Type 1, or any other combination.

A Type 1 report is a snapshot: the auditor evaluates whether your controls are suitably designed and in place as of a single date. It is faster and cheaper to obtain, which makes it a common first milestone for organizations that need to show customers something soon. A Type 2 report covers a review period, typically 3 to 12 months, during which the auditor tests whether those controls actually operated effectively day after day. Sampled tickets, access reviews, change records, and incident logs from across the whole window all become evidence. Because it proves sustained operation rather than good intentions, Type 2 is what mature customers ultimately expect: a SOC 1 Type 2 for financial-processing vendors, and a SOC 2 Type 2 for data-handling vendors.

The practical sequencing question is where readiness work pays for itself. An exception in a Type 2 report is permanent for that period: if quarterly access reviews were skipped in month two, the report says so for every customer to read. That is why we push clients to run a readiness assessment and remediate before the review period starts, not during it. Our SOC 2 readiness assessment exists precisely to find those gaps while they are still fixable in private, and our SOC 2 Type II certification services carry organizations through the full monitoring period with evidence collection running continuously.

Background

From SAS 70 to SSAE 18: Why Two Reports Exist at All

If a longtime customer still asks for your "SAS 70," here is the lineage behind the request.

For decades, the only service-organization audit in wide use was SAS 70, a standard built purely around financial reporting. As outsourcing exploded, companies began stretching SAS 70 into a general-purpose "security audit" it was never designed to be: a report about payroll controls was being waved around as proof that a data center was secure. The AICPA responded by splitting the concept. SSAE 16, later superseded by SSAE 18, carried the financial-reporting mission forward as SOC 1, while the newly created SOC 2 took over the security, availability, processing integrity, confidentiality, and privacy questions under the Trust Services Criteria.

That history explains most of the confusion we untangle for clients today. Procurement templates written years ago still say "SAS 70 or equivalent." Financial auditors say "SOC report" and assume you know they mean SOC 1. Security questionnaires say "SOC certification" when no such certificate exists. When Petronella Technology Group scopes a readiness engagement, the first deliverable is simply clarity: which report, which type, which criteria, and which review period actually satisfies the person asking, so you never pay for an examination the requester will reject.

Not Sure Which Report Your Customers Mean?

Forward us the exact request language from your customer or their audit firm. In one short call, Craig Petronella's team will tell you whether it is a SOC 1 or SOC 2 ask, whether Type 1 or Type 2 fits your timeline, and what readiness would take.

Decision Guide

Which Report Does Your Business Need?

Work through the scenarios below. The deciding factor is never your industry label; it is what your service touches and who is asking.

You process transactions that hit customer financials

Payroll runs, insurance claims, loan payments, trades, fund accounting: if your output lands in a customer's general ledger, their auditors need SOC 1 coverage. Expect requests to intensify every fiscal year-end.

You host, store, or process customer data

SaaS products, hosting, backup, analytics, or managed IT and security services point to SOC 2. Security questionnaires, procurement portals, and enterprise deals are where the demand shows up first.

You do both

A fintech that processes payments and hosts customer financial data often needs both reports. The good news: IT general controls overlap heavily, so a shared control set and one evidence pipeline can feed both examinations.

You are early stage and budget-bound

Start with the report your largest near-term deal requires, usually a SOC 2 Type 1, then move to Type 2 in the following cycle. Our SOC 2 for startups program is built around that sequencing.

One more distinction worth naming: SOC 2 is an attestation report, not a certificate. There is no pass/fail badge issued by the AICPA, no matter what a vendor's marketing page implies. The deliverable is a detailed report containing the auditor's opinion, the description of your system, and the results of every control tested, exceptions included. Sophisticated customers read those exception listings closely, which is exactly why disciplined preparation matters more than the logo on the cover.


How We Help

How Petronella Technology Group Gets You SOC-Ready

The CPA firm attests; we make sure there is something worth attesting to. Petronella Technology Group runs the readiness side of the engagement so the examination itself holds no surprises.

1

Determine SOC 1 vs SOC 2 and Type 1 vs Type 2

2

Scope Systems and Trust Services Criteria

3

Gap Assessment Against Every Control

4

Remediate: Policies, Access, Monitoring

5

Collect Evidence via ComplianceArmor

6

Support the Audit and Maintain Year-Round

The engine behind steps three through six is ComplianceArmor, our proprietary compliance automation platform. It maps your controls to the Trust Services Criteria, generates the policy set auditors ask for on day one, and collects evidence continuously instead of in a panicked quarter-end scramble. Because the platform also carries CMMC, HIPAA, and PCI DSS modules, organizations that face several frameworks at once maintain one control set that feeds all of them: the access reviews you run for SOC 2 do double duty for HIPAA compliance or PCI DSS without re-collecting anything.

Craig Petronella, MIT-certified cybersecurity professional, CMMC Registered Practitioner, and NC Licensed Digital Forensics Examiner (License# 604180-DFE), has led security and compliance engagements for regulated businesses since founding the company in April 2002. As Craig Petronella details in his book How Hackers Can Crush Your Business, the vendors that fail security reviews are rarely the ones missing a document; they are the ones whose controls exist on paper but never operated. That operational focus, backed by a 24/7 Security Operations Center and the Managed XDR Suite, is what separates readiness work done by a security practice from readiness work done by a document mill. It is also why defense contractors working through our CMMC compliance guide and SaaS companies pursuing SOC 2 end up with the same underlying discipline: controls that run, with evidence to prove it.

"Petronella's work has been a major factor in our business success, helping it to become one of the most secured networks of its kind on the Internet."

Financial Services Firm, Raleigh, NC - verified client

FAQ

SOC 1 vs SOC 2 Questions

What is the main difference between SOC 1 and SOC 2?
SOC 1 examines controls at a service organization that are relevant to customers' internal control over financial reporting, such as payroll or claims processing. SOC 2 examines controls over the security, availability, processing integrity, confidentiality, and privacy of the systems and data the organization manages, measured against the AICPA Trust Services Criteria. SOC 1 satisfies financial statement auditors; SOC 2 satisfies security and vendor-risk teams.
Is SOC 2 better than SOC 1?
Neither is better; they answer different questions for different audiences. A payroll processor whose customers' auditors need assurance over financial processing must have SOC 1, and no SOC 2 will substitute. A SaaS company being vetted for data security needs SOC 2. The right report is determined by what your service touches and who is requesting the assurance.
What is a SOC 1 Type 2 report?
A SOC 1 Type 2 report examines both the design and the operating effectiveness of a service organization's financial-reporting-relevant controls over a review period, typically 3 to 12 months. The auditor tests sampled evidence from across the whole period, which is why customer audit firms prefer Type 2 over the point-in-time Type 1 snapshot.
What is a SOC 2 Type 1 report and is it enough?
A SOC 2 Type 1 report evaluates whether your controls are suitably designed and implemented as of a single date. It is a legitimate first milestone and often enough to unblock an early deal, but most enterprise customers expect a SOC 2 Type 2 within the following audit cycle because Type 2 proves the controls kept operating over months, not just on one day.
Can one company need both SOC 1 and SOC 2?
Yes, and it is common. A fintech that processes payments (financial reporting impact) while hosting customer data (security impact) may field requests for both. Because the underlying IT general controls overlap heavily, a well-designed shared control set with one evidence pipeline, which is how the ComplianceArmor platform is built, can feed both examinations without doubling the work.
Who can issue a SOC 1 or SOC 2 report?
Only a licensed, independent CPA firm can perform the examination and issue the attestation report under AICPA standards. Petronella Technology Group does not issue the report; we run the readiness side, including scoping, gap assessment, remediation, and evidence collection, and then support you through the CPA firm's examination so findings do not surprise you.
How long does it take to get a SOC 2 report?
Readiness and remediation commonly take one to several months depending on your starting maturity. A Type 1 can follow soon after remediation is complete. A Type 2 additionally requires the review period itself, typically 3 to 12 months of control operation, plus the auditor's fieldwork and reporting time afterward.
What is SOC 3 and how does it relate?
SOC 3 is a general-use summary of a SOC 2 Type 2 examination. It contains the auditor's opinion without the detailed control test results, so it can be posted publicly on your website as a trust signal. You cannot obtain a SOC 3 on its own; it is produced alongside a SOC 2 Type 2 engagement.

Get the Right Report, Ready on the First Pass

Whether your customers are asking for SOC 1, SOC 2, or both, the expensive mistake is preparing for the wrong one, or walking into a Type 2 period with controls that have not started operating. Petronella Technology Group, rated 4.7 across 92 verified TrustIndex reviews, will scope it correctly and get the evidence machine running before the auditor arrives.

Last Updated: July 19, 2026 | Petronella Technology Group, Inc., 5540 Centerview Dr., Suite 200, Raleigh, NC 27606