866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Do Data Centers Need SOC 1 Or SOC 2? Blog Feature
MATTHEW HITE

By: MATTHEW HITE

Print/Save as PDF

Do Data Centers Need SOC 1 Or SOC 2?

SOC Examinations

The first question many service organizations have when they begin the process of researching Service Organization Control (SOC) reports is: which SOC report(s) do they need?  The American Institute of Certified Public Accountants (AICPA) has designed three SOC reports to accommodate the needs of service organizations and it is important to understand the purpose and intended use of each report:

  • SOC 1 reports are performed under the SSAE No. 16 standard and are designed to provide user entities and their financial statement auditors, also referred to as user auditors, information on how the service organization’s controls impact the internal controls over financial reporting (ICFR) of their user entity customers. SOC 1 reports are often used by the user auditors as part of compliance with the Sarbanes-Oxley Act of 2002 (SOX).
  • SOC 2 reports are performed under the existing AT Section 101 standard and are intended to provide the service organization’s management, user entities, and other specified parties, with information about controls that may affect the security, availability, processing integrity, confidentiality, or privacy of the service organization’s systems and services.
  • SOC 3 reports are performed under the same standard as SOC 2 reports and have a similar purpose; however, SOC 3 reports are general use reports that can be freely distributed to anyone, and do not contain the same level of detail in the description of the service organization’s systems or the tests applied to controls.

Service organizations may undergo one or more of the above examinations by engaging with a licensed CPA, often referred to as a service auditor.  However, due to the differences in the SOC 1 report compared to the other two, it is not possible for organizations to substitute a SOC 1 report for a SOC 2 or SOC 3 report.  Because of this, service organizations should consider obtaining multiple SOC reports to accommodate the needs of their customers.

Data center providers fall into a unique category of services that requires additional consideration when identifying which report(s) are best suited for their customers.  The first and most obvious step is for data center providers to reach out to their customers to understand their user auditor requirements.  As part of this process, data center providers should identify whether the services that they provide protect the financial systems of their customers, or otherwise have an impact on their customer’s internal controls over financial reporting.  Typically, you will find that the majority of data center providers obtain a SOC 1 report due to their most common types of services, colocation and managed services, having an expressed effect on their customer’s internal control over financial reporting processes.

This does not mean that a data center cannot also obtain a SOC 2 or SOC 3 report.  In the past few years it has become increasingly more popular for data center providers to obtain a SOC 2 report in addition to the SOC 1 report.  This is primarily due to the increasing popularity of SOC 2 reports across all industries because of its more detailed framework of criteria relating to security, availability, processing integrity, confidentiality, and privacy.  In addition, stakeholders of the organization, including management, often prefer the additional compliance requirements provided by the SOC 2 report.

Obtaining both a SOC 1 and SOC 2 report does not come without its challenges.  The more detailed requirements of the SOC 2 report can identify issues of noncompliance with service organizations.  Additionally, SOC 2 examinations often require additional resources to complete.  However, choosing an experienced service auditor to perform multiple examinations concurrently can provide efficiencies that will reduce the amount of cost and effort to complete.

Ultimately, it is not required for data centers to obtain any of the SOC reports, absent an expressed need from the organizations stakeholders.  However, in a world with increasing priority being placed on data security, obtaining SOC reports can set a data center provider apart from their competition.  Being able to provide customers with the assurance granted by the SOC 1 and SOC 2 reports may be the difference between maintaining a happy customer and losing them completely.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.