How to Decide if a Type 1 or Type 2 SOC Report is Right for Your Organization

SOC
by Timothy Wolfgang
share with a colleague Download PDF

In a previous article, we described the differences between SOC 1 reports and SOC 2 reports.  Once an organization decides to pursue a SOC 1 or SOC 2 report, the next decision it will need to make is whether it will complete a Type 1 examination or a Type 2 examination. We can start by defining the scope of each type of examination:

A Type 1 examination is an evaluation of the design of controls and the fairness of the presentation of the organization’s system description. A Type 1 report provides assurance about whether controls are in place as of a point in time.

A Type 2 examination is an evaluation of the design of controls, the fairness of the presentation of the organization’s system description and an evaluation of the operating effectiveness of the controls over a period of time. A Type 2 report provides assurance about whether controls were working as designed during the report period, typically 6-12 months. 

Since a Type 2 report includes control testing over a period of time, it provides users of the report a greater degree of assurance whether an organization has an adequate control environment. For this reason, the Type 2 report is what most users request, and expect to receive. 

That’s not to say a Type 1 report isn’t useful. The main reason that an organization would choose to obtain a Type 1 report is because there is a desire to get a report issued quickly, often due to contractual requirements. Since the auditor’s procedures represent a single point-in-time, the report can be issued within a few months, whereas a Type 2 report requires testing the controls for the in-scope period in order for the service auditor to conclude whether the controls were operating effectively during the period. A second, although much less common reason, is the organization’s users find that the content of a Type 1 report is acceptable for their needs. 

Some organizations may perform a Type 1 examination for their first SOC report in order to get a report in their users’ hands more quickly, and then transition to a Type 2 report for subsequent reporting periods. When producing a Type 1 report, organizations should be prepared to answer questions about whether they are planning to produce a Type 2 report and when they expect that to occur. 

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2023 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
IT Risk Advisory, SOC, SOC 2 BY Bill Deller
20 Pre-Contract Questions To Ask Your Next SOC 2 Audit Firm
read more >
Risk Advisory/Internal Audit, SOC, SOC 2 BY Heather Haemer
What Should a Service Organization Consider When Determining Its SOC Report Testing Period?
read more >
Cybersecurity, SOC, SOC 2 BY Karl Bixler
What is blockchain? How can I secure my blockchain environment?
read more >
IT Risk Advisory, SOC, SOC 2 BY Anna Covatto, Jacob Katz
The Benefits of a Compliance Automation Platform
read more >
IT Risk Advisory, SOC, SOC 2 BY Holly Russo
Which SOC Report Is Right for You?
read more >
Cybersecurity, IT Risk Advisory, SOC, SOC 2 BY Schneider Downs Professional
What Evidence Is Requested During SOC 2 Audits?
read more >
Register to receive our weekly newsletter with our most recent columns and insights.
subscribe for updates
most recent
President Biden Signs Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence
IT Risk Advisory, Technology
By Gabriel Zisk | 11.15.2023

Learn more about President Biden's Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence. ...

read more
most popular
Frauds of the Rich and the Famous: The Star-studded Saga of Jennifer Shah
Business Advisors, Fraud
By Alyssa Brunatti | 11.15.2023

Learn more about the telemarketing scam and wire fraud charges against one of the "Real Housewives of Salt Lake City". ...

read more
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh
Columbus
Metropolitan Washington
Image of Prime Global Logo
follow us client portal

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×
Accept