AUD CPA Practice Questions: The Differences Between SOC 1 and SOC 2 Engagements

In this video, we walk through 5 AUD practice questions teaching about the differences between SOC 1 and SOC 2 engagements. These questions are from AUD content area 2 on the AICPA CPA exam blueprints: Assessing Risk and Developing a Planned Response.

The best way to use each video is to pause each time we get to a new question in the video, and then make your own attempt at the question before watching us go through it.

Also be sure to watch one of our free webinars on the 6 “key ingredients” to an extremely effective & efficient CPA study process here…

The Differences Between SOC 1 and SOC 2 Engagements

When businesses rely on third-party service providers, they often need assurance that these providers have effective internal controls in place. That’s where SOC (System and Organization Controls) reports come in. In this post, we’ll break down the key differences between SOC 1 and SOC 2 engagements, explore Type 1 vs. Type 2 reports, and give examples.

What Is a SOC 1 Engagement?

A SOC 1 engagement evaluates a service organization’s internal controls relevant to financial reporting (ICFR). This is crucial for companies that provide outsourced services affecting their clients’ financial statements, such as payroll processors, loan servicing companies, or third-party billing providers.

For example, if a payroll service provider manages employee wages for multiple businesses, errors in their system could result in incorrect payroll expenses on their clients’ financial statements. A SOC 1 report helps ensure that the payroll provider has properly designed and implemented controls to prevent such errors.

What Is a SOC 2 Engagement?

A SOC 2 engagement assesses a service organization’s controls related to security, availability, processing integrity, confidentiality, and privacy—known as the Trust Services Criteria. These reports are not focused on financial reporting but instead help companies evaluate whether a service provider has strong data protection and cybersecurity controls.

For example, a cloud storage provider that hosts sensitive business data might undergo a SOC 2 audit to demonstrate that its security measures effectively protect against unauthorized access. Clients looking for assurance that their data is safe would request a SOC 2 report before signing a contract.

Type 1 vs. Type 2 SOC Reports

Both SOC 1 and SOC 2 reports can be issued as Type 1 or Type 2, depending on the depth of the assessment.

• Type 1 Report: Assesses whether a service organization’s controls are suitably designed as of a specific point in time (e.g., “as of December 31, 2024”). It does not test whether the controls were actually operating effectively over time—only that they were properly designed.
• Type 2 Report: Evaluates both the design and operating effectiveness of controls over a period of time (e.g., “from January 1, 2024, to December 31, 2024”). This provides greater assurance that controls are not only in place but also functioning as intended.

For example, a SOC 2 Type 1 report might confirm that a cloud provider has a firewall and encryption policies on a given date, while a SOC 2 Type 2 report would test whether those security measures actually worked over six months or a year.

Examples:

To reinforce these concepts, let’s consider a few scenarios and determine the correct SOC engagement and report type:

1. A financial services company wants assurance that their outsourced payroll provider’s controls over payroll transactions are effective over the past year.
   • Answer: SOC 1 Type 2 (Financial reporting controls, tested over time).
2. A cybersecurity firm provides an auditor with a report stating that its security and confidentiality controls were evaluated as of June 30, 2024, but no testing was done over time.
   • Answer: SOC 2 Type 1 (Trust Services Criteria controls, point-in-time evaluation).
3. A cloud-based document storage company needs to prove to new clients that its security controls have been operating effectively for the past 12 months.
   • Answer: SOC 2 Type 2 (Trust Services Criteria controls, tested over time).
4. A third-party billing company is asked to provide a report on whether its financial reporting controls were properly designed as of a single date.
   • Answer: SOC 1 Type 1 (Financial reporting controls, point-in-time evaluation).

Final Thoughts

SOC reports provide businesses with assurance when working with third-party service providers. SOC 1 engagements are focused on financial reporting, while SOC 2 engagements assess data security and trust-related controls. Understanding the difference between Type 1 and Type 2 reports helps businesses choose the right level of assurance based on whether they need to verify only control design (Type 1) or both design and effectiveness over time (Type 2).