SOC 1 & SOC 2 Reporting, Explained
What SOC 1 and SOC 2 reports cover, the difference between Type I and Type II, the Trust Services Criteria, and a practical readiness checklist.
SOC reports give your customers independent assurance that the controls protecting their data and services actually work. They’re issued under standards set by the AICPA and are widely requested by enterprise buyers — especially in financial services and SaaS.
SOC 1
Financial reporting (ICFR)Focuses on controls relevant to your customers’ financial reporting. If what you do can affect a client’s financial statements — payroll, payments processing, billing — a SOC 1 is usually what’s requested.
SOC 2
Trust Services CriteriaFocuses on the Trust Services Criteria — security, availability, processing integrity, confidentiality and privacy. It’s the report most technology and SaaS providers need to show they protect customer data.
Type I
Point in timeAssesses whether your controls are suitably designed at a single point in time.
Type II
Over a period · carries more weightAssesses whether those controls also operated effectively over a period — typically 3–12 months. Type II is what enterprise buyers usually ask for.
Scoping
Agree the system boundary, which Trust Services Criteria apply, and the observation period.
Readiness review (optional)
An honest gap check against the criteria before the formal examination begins.
Remediation
Close the gaps — implement or tidy up controls, policies and evidence processes.
Observation & examination
Operate controls across the period (Type II); we test them and collect evidence.
Report & opinion
You receive an independent SOC report to share with customers under NDA.
SOC 2 Type 2 Readiness Checklist
Work through these to gauge how ready you are for a SOC 2 Type 2 examination. Tick items off as you go — your progress is saved on this device.
Ready to start your SOC 2 journey?
Talk to an independent SOC assessor — conflict-free, across New Zealand & Australia.
Book a scoping call →