There is certainly overlap between SOC 1 and SOC 2 reports. For example, the security principle in a SOC 2 report refers to the protection of the system from unauthorized access (logical and physical), and limited access to the system to prevent potential abuse of the system, theft of resources, misuse of software, improper access or usage, and the alteration, destruction and disclosure of information. Key elements for the protection of the system include granting authorized access based on relevant needs and preventing unauthorized access to the system in all other instances. Some of this language is seen in a general computer control objective in a SAS 70 and will continue to be seen in a SSAE16/SOC 1 report. Abuse of the system and theft of resources are not often an ICFR concern or a SSAE16/SAS 70 risk.
Add a Comment: