Many service organizations are asked to present their SOC 2 reports but unfortunately, they may not have one and are uncertain whether they should get a Type 1 or a Type 2 report.
The SOC 2 report, developed by the American Institute of Certified Public Accountants (AICPA), is an auditor's report on the controls at an organization relative to security, availability, confidentiality, processing integrity, and privacy. These five domains are known as the Trust Services Criteria and were previously known as Trust Service Principles.
Beyond the scope of the SOC 2, however, there are two different "types" of reports - a Type 1 and a Type 2 report.
SOC 2 Types have to do with the nature and timing of the examination. A Type 1 report is an auditor's examination of control design as of a particular date. The auditor will review how well your controls are designed to meet the criteria of the SOC 2. In a Type 2 examination, the auditor will not only examine how well your controls are designed but will also test how well your controls operated within a given period of time, generally 6-12 months. This difference means the burden of obtaining an unmodified opinion (think a clean bill of health) is considerably more challenging for a Type 2. Not only do you need sufficiently designed controls, but you have to ensure that they operate effectively for the entire audit period.
|
|
Contents of Type 1 vs. Type 2 SOC 2 Reports Source: AICPA |
|
|
|
Type 1 Report |
Type 2 Report |
|
Section 1 |
1. Description of the system as of a point in time in accordance with the description criteria
|
1. Description of the system throughout a period of time in accordance with the description criteria
|
|
Section 2 |
2. Management assertion that addresses whether:
|
2. Management assertion that addresses whether:
|
|
Section 3 |
3. The service auditor’s opinion about whether:
|
3. The service auditor’s opinion about whether:
|
|
|
4. Description of the control activities in place as of the point in time
|
4. Description of the service auditor’s tests of controls and results thereof
|
|
|
5. Other information provided by the service organization when applicable
|
5. Other information provided by the service organization when applicable
|
How do you know which Type is most appropriate for you? More than likely, you will be pushed into a particular direction from customer and prospect requirements. Are you being asked for a Type 2? If not, a Type 1 may suffice. From our experience, your customer's auditors, depending on their industry, may accept a Type 1 for the first year or two. However, most user organizations will eventually want to see a Type 2 report, as it assures them that your control environment was operating effectively throughout the entire year.
If you have questions about which SOC 2 Type may be most appropriate for your organization, please contact a member of your DGC client service team or Nick DeLena, CISSP, CISA, CRISC at 781-937-5191 / ndelena@dgccpa.com. You can also visit our coronavirus web page at dgccpa.com/coronavirus which is frequently updated with new articles and checklists to help you deal with the impact of the coronavirus on you and your business.
If you would like to get alerts and insights like this sent directly to your inbox, sign up here.
