OUR THOUGHTS ON:

How to Decide if a Type 1 or Type 2 SOC Report is Right for Your Organization

SSAE 18/SOC

By Timothy Wolfgang

In a previous article, we described the differences between SOC 1 reports and SOC 2 reports.  Once an organization decides to pursue a SOC 1 or SOC 2 report, the next decision it will need to make is whether it will complete a Type 1 examination or a Type 2 examination. We can start by defining the scope of each type of examination:

A Type 1 examination is an evaluation of the design of controls and the fairness of the presentation of the organization’s system description. A Type 1 report provides assurance about whether controls are in place as of a point in time.

A Type 2 examination is an evaluation of the design of controls, the fairness of the presentation of the organization’s system description and an evaluation of the operating effectiveness of the controls over a period of time. A Type 2 report provides assurance about whether controls were working as designed during the report period, typically 6-12 months. 

Since a Type 2 report includes control testing over a period of time, it provides users of the report a greater degree of assurance whether an organization has an adequate control environment. For this reason, the Type 2 report is what most users request, and expect to receive. 

That’s not to say a Type 1 report isn’t useful. The main reason that an organization would choose to obtain a Type 1 report is because there is a desire to get a report issued quickly, often due to contractual requirements. Since the auditor’s procedures represent a single point-in-time, the report can be issued within a few months, whereas a Type 2 report requires testing the controls for the in-scope period in order for the service auditor to conclude whether the controls were operating effectively during the period. A second, although much less common reason, is the organization’s users find that the content of a Type 1 report is acceptable for their needs. 

Some organizations may perform a Type 1 examination for their first SOC report in order to get a report in their users’ hands more quickly, and then transition to a Type 2 report for subsequent reporting periods. When producing a Type 1 report, organizations should be prepared to answer questions about whether they are planning to produce a Type 2 report and when they expect that to occur. 

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments