Question 1

What is a SOC 1 report?

Accepted Answer

A SOC 1 report is for service organisations whose services affect their customers' financial reporting, for example, payroll processors, loan servicers, or transaction-processing platforms. Auditors of those customers rely on the SOC 1 report to evaluate Internal Controls over Financial Reporting (ICFR). It is governed by the SSAE 18 / ISAE 3402 standards.

Question 2

What is a SOC 2 report?

Accepted Answer

A SOC 2 report is for service organisations that handle customer data, typically SaaS, cloud, and managed-service providers. It evaluates controls against the AICPA's Trust Services Criteria: Security (mandatory), and optionally Availability, Confidentiality, Processing Integrity and Privacy. Customers and prospects use SOC 2 to gain comfort that you are protecting their data.

Question 3

What is a SOC 3 report?

Accepted Answer

A SOC 3 is a public, summary version of a SOC 2, same underlying audit, but a shortened report that can be shared freely on a website or with prospects. SOC 3 cannot be issued without an underlying SOC 2 Type 2.

Question 4

SOC 1 vs SOC 2, which one do I need?

Accepted Answer

If your service touches your customers' financial statements, you need SOC 1. If your service stores or processes customer data and they care about security/availability/privacy, you need SOC 2. Some organisations need both, for example, a payments platform that also stores sensitive customer data.

Question 5

What is a Type 1 report?

Accepted Answer

A Type 1 report evaluates whether your controls are suitably designed and in place at a single point in time (a specific date). It answers: 'On 31 March, did the right controls exist?' It does not test whether they actually worked over a period.

Question 6

What is a Type 2 report?

Accepted Answer

A Type 2 report evaluates whether your controls were both suitably designed AND operating effectively over a period of time, typically 6 to 12 months. The auditor samples evidence from across that period to test that each control consistently did what it was supposed to do. This is the report most enterprise customers want.

Question 7

Type 1 vs Type 2, which should I start with?

Accepted Answer

Most organisations start with Type 1 because it is faster and confirms the controls exist. Then they move to Type 2 to demonstrate the controls operated effectively over time. If you are early-stage and a customer is asking for SOC 2 today, a Type 1 buys you credibility while you build evidence for the Type 2 observation period.

Question 8

How long is the Type 2 observation period?

Accepted Answer

Three to twelve months. First-time Type 2 audits are often a 3- or 6-month period to keep things manageable; subsequent annual reports usually cover a full 12 months so there is no gap between consecutive reports.

Question 9

What is ITGC?

Accepted Answer

ITGC stands for IT General Controls, the foundational controls over the technology that supports financial reporting and operations. They cover four areas: access to programs and data, program changes, computer operations (jobs, backups, incidents), and program development (SDLC). If ITGC fails, auditors cannot rely on application-level controls.

Question 10

What is information systems audit?

Accepted Answer

Information systems (IS) audit is the independent examination of the controls within an organisation's information technology, the systems, infrastructure, and processes. It evaluates whether those controls protect assets, maintain data integrity, and support business objectives. IS audit is a recognised specialisation within the audit profession (e.g. CISA from ISACA).

Question 11

What is a CIS Benchmark?

Accepted Answer

The Center for Internet Security (CIS) publishes consensus-based configuration benchmarks for major cloud platforms, operating systems, and applications. A CIS Benchmark is essentially a detailed checklist of secure configuration settings. Auditors use CIS Benchmarks as the yardstick when reviewing cloud environments.

Question 12

What is the shared responsibility model?

Accepted Answer

In public cloud, the provider (AWS / Azure / GCP) is responsible for the security OF the cloud, physical infrastructure, hypervisors, the underlying network. The customer is responsible for security IN the cloud, configuration, identity, data, application code. Most cloud breaches stem from customer-side misconfiguration, not provider failure.

Question 13

What is a cloud security configuration review?

Accepted Answer

It is an independent assessment of how your cloud environment is configured against CIS Benchmarks and the cloud provider's own best practice. Typical findings include over-permissive IAM, public storage buckets, missing logging, weak encryption key management, and exposed management ports.

Question 14

What is a readiness assessment?

Accepted Answer

A readiness assessment is a 'mock audit' performed before the formal SOC, ITGC, or other audit. The objective is to identify gaps between current state and the standard, so they can be fixed before the real audit begins. It avoids the cost of an audit failure and gives you a roadmap to remediation.

Question 15

What are the Trust Services Criteria?

Accepted Answer

These are the five criteria used in SOC 2 to evaluate controls: Security (always required), Availability (uptime and disaster recovery), Confidentiality (protection of sensitive non-personal data), Processing Integrity (completeness and accuracy of processing), and Privacy (handling of personal information). You select which ones are in scope based on what your customers care about.

Question 16

What is a carve-out vs inclusive method?

Accepted Answer

If your service uses subservice organisations (e.g. AWS, a payment processor), you can either 'carve out' their controls (exclude them from scope and let customers rely on the subservice provider's own SOC report) or use the 'inclusive' method (include the subservice provider's controls in your report). Carve-out is far more common.

Question 17

Audit vs attestation, what is the difference?

Accepted Answer

An audit (e.g. financial statement audit) results in an opinion on financial statements. An attestation engagement (e.g. SOC 1, SOC 2) results in an opinion on a subject matter, in this case, controls, against defined criteria. SOC engagements are attestation engagements, not audits in the strict sense, but the term 'audit' is used colloquially.

The basics, in plain language.

SOC 1, SOC 2 and SOC 3, what they are.

The difference between Type 1 and Type 2.

Information systems and IT general controls.

Cloud security and CIS Benchmarks.

Readiness and process basics.

Talk it through with a Chartered Accountant.