How to Decide if a Type 1 or Type 2 SOC Report is Right for Your Organization

In a previous article, we described the differences between SOC 1 reports and SOC 2 reports.  Once an organization decides to pursue a SOC 1 or SOC 2 report, the next decision it will need to make is whether it will complete a Type 1 examination or a Type 2 examination. We can start by defining the scope of each type of examination:

A Type 1 examination is an evaluation of the design of controls and the fairness of the presentation of the organization’s system description. A Type 1 report provides assurance about whether controls are in place as of a point in time.

A Type 2 examination is an evaluation of the design of controls, the fairness of the presentation of the organization’s system description and an evaluation of the operating effectiveness of the controls over a period of time. A Type 2 report provides assurance about whether controls were working as designed during the report period, typically 6-12 months. 

Since a Type 2 report includes control testing over a period of time, it provides users of the report a greater degree of assurance whether an organization has an adequate control environment. For this reason, the Type 2 report is what most users request, and expect to receive. 

That’s not to say a Type 1 report isn’t useful. The main reason that an organization would choose to obtain a Type 1 report is because there is a desire to get a report issued quickly, often due to contractual requirements. Since the auditor’s procedures represent a single point-in-time, the report can be issued within a few months, whereas a Type 2 report requires testing the controls for the in-scope period in order for the service auditor to conclude whether the controls were operating effectively during the period. A second, although much less common reason, is the organization’s users find that the content of a Type 1 report is acceptable for their needs. 

Some organizations may perform a Type 1 examination for their first SOC report in order to get a report in their users’ hands more quickly, and then transition to a Type 2 report for subsequent reporting periods. When producing a Type 1 report, organizations should be prepared to answer questions about whether they are planning to produce a Type 2 report and when they expect that to occur. 

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Five Questions to Assist With Identifying SOC Report Scope
SOC 2 Reports: Common Control Exceptions and How to Avoid Them
SOC 2 Examinations - What Are the Trust Services Criteria and Categories?
How to Decide if a Type 1 or Type 2 SOC Report is Right for Your Organization
SOC Report Refresher: What Are the Different Types of SOC Reports?
Will Cloud Service Providers' SOC 2 Reports Satisfy SaaS Companies' Customer Assurance Needs?

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062