Can a SOC 1 be leveraged for a SOC 2?
Technology based service organizations have seen the SOC 2 report gain immense traction over the past couple years.
As a result, service organizations that have successfully completed SOC 1 examinations are now being asked [by their clients] to undergo a SOC 2 examination as well. Performing an additional examination can seem daunting, yet essential to maintain and potentially win new customers.
Fortunately many of the controls between the SOC 1 and SOC 2 may overlap. In these instances, the service auditor should be able to leverage the documents for certain controls/criteria used to complete the SOC 1 for use in the SOC 2. The necessary work required to complete the additional report will be incremental (assuming the time periods overlap).
About TERRY O'BRIEN
Terry O’Brien is a Senior Manager with Schellman. He is responsible for the management and execution of engagements across multiple service lines. Since joining in 2013, Terry has participated in business development activities and supported practice development initiatives via his participation in both the SOC and Cybersecurity Task Force. Terry has 10 years of IT compliance and attestation experience. Prior to his time at Schellman, he worked in the Advisory Services division of Grant Thornton in Chicago, Illinois.