SOC 1 or SOC 2: Which Is Right for My MSP?

Managed service providers (MSPs) provide a valuable service by enabling companies of all sizes to outsource their key information technology processes. Many of those companies who look to engage an MSP ask whether a SOC 1 or SOC 2 Examination has been completed to assess the MSP’s security posture.

Not sure where to start when a prospective customer asks you about a SOC report? Below are our top tips for determining if your MSP should complete a SOC 1 or a SOC 2 Examination – or both.

How Do I Know if My MSP Needs a SOC 1 or SOC 2?

Often, your clients will let you know which assessment they want your MSP to undergo. They might request a specific examination, such as SOC 1 or SOC 2, or they may be a little vaguer in their direction and ask for a third-party security audit to be completed by a CPA firm. If they’re less certain on which compliance assessment to complete, our SOC experts can review your MSP and its business practices to help determine the appropriate audit to undergo. Depending on the nature of your MSP, you might benefit from undergoing completing multiple compliance assessments concurrently in lieu of the overlap in process and requirements.

Who Should Get a SOC 1 Examination:

A SOC 1 audit is the ideal audit for MSPs that handle, process, store or transmit financial information. These industries may include:

  • Payroll Processors
    • A payroll processor distributes an organization’s payroll funds amongst its employees per the terms of the employer’s agreements as a service. The services of a payroll processor directly impact the organization’s financial reporting, making a SOC 1 audit critically important.
  • Collections Organizations
    • A collections firm collects money on behalf of another company as a service and records and transfers those funds back, reconciling the organization’s financial statements. Because of their direct impact on financial reporting, SOC 1 audits are vital for collections organizations.
  • Data Centers
    • A data center allows systems and software to operate with maximum availability as a service for other firms. If those systems or software are used for functional finance transactions, then the loss of availability could impact those transactions and therefore impact financial reporting.
  • SaaS MSPs
    • A software-as-a-service (SaaS) that offers a cloud service to an organization could be processing financial statements or reporting on statements that record to the general ledger, therefore impact financial reporting.

Who Should Get a SOC 2 Examination:

Organizations of all sizes and industries can benefit from a SOC 2 Examination, as the audit can be performed for an organization that provides a variety of services to its customers. A SOC 2 report highlights the controls in place that protect and secure an organization’s system or services used by its customers. Unlike a SOC 1, the scope of a SOC 2 Examination extends beyond the systems that have a financial impact, reaching all systems and tools used in support of the organization’s system or services. This assurance in the security of the environment can be provided thanks to the requirements within a SOC 2 Examination, known as the Trust Services Criteria (TSC). The TSC are based on upon the American Institute of Certified Public Accountants and consist of five categories:

  • Common Criteria/Security (required)
  • Availability (optional)
  • Processing Integrity (optional)
  • Confidentiality (optional)
  • Privacy (optional)

MSPs that could benefit the most from SOC 2 Examinations include:

  • Any Service Organization
    • Generally speaking, any MSP providing a service to a business, client or person should have a SOC 2 performed.
  • Data Centers
    • A data center allows systems and software to operate with maximum availability as a service for other firms. Because of the critical role that data centers play, availability and physical security of the system is extremely important to the clients purchasing the infrastructure or platform. To confirm a certain degree of availability, a SOC 2 is often requested or recommended.
  • SaaS MSPs
    • A cloud-based SaaS that is managed and hosted by a third party should complete a SOC 2 Examination to provide assurance on the security posture surrounding the in-scope system or service.

Read more: Leveraging a SOC 2 Examination to Differentiate Your MSP

Should Your MSP Conduct a SOC 1 and SOC 2?

As you may have noticed, some industries that MSPs serve recommend the completion of both a SOC 1 and SOC 2 Examination. Because the customer audience and value gained for a SOC 1 and a SOC 2 audit differ, it is often worth completing both a SOC 1 and SOC 2 Examination concurrently – especially considering a majority of the evidence and testing used in a SOC 1 can also be leveraged in the completion of a SOC 2 Examination. A-LIGN’s SOC experts will review the services offered to customers by your MSP in order to determine the best solution for you.

How A-LIGN Can Help

As customers begin to enhance their vendor management practices to secure their information, requests for compliance reports such as a SOC 1 or SOC 2 report will become more and more frequent. Working with a compliance service provider like A-LIGN, who has certified compliance professionals with extensive experience performing SOC 1 and SOC 2 audits, can set you on the right path in building credibility and trust with your customers. Moreover, A-LIGN is well-versed in meeting the requirements of a broad range of compliance standards and security frameworks including SOC, PCI, ISO, GDPR, FISMA and NIST to help you meet all compliance needs.