DCG Logo DCG Logo
  • About Us

    Where there's unique perspective, there's DGC. 
    Learn more

    • Service Philosophy
    • Team
    • News & Events
    • Community Involvement
  • Services
    • Private Client
    • Business Tax
    Assurance & Accounting
    • Accounting & Business Advisory Services
    • Audit, Review & Compilation
    • Employee Benefit Plan Audit
    • Overhead Rate Audit
    Business Advisory
    • Alternative Dispute Resolution
    • Bankruptcy & Restructuring
    • Forensic Accounting
    • Human Capital Consulting
    • IT Risk Assurance & Advisory
    • Litigation Support
    • Succession Planning
    • Technical Accounting Advisory
    • Transaction Advisory
    • Valuation
  • Industries

    Architecture & Engineering

    Healthcare

    Manufacturing & Distribution

    Not-for-Profit

    Professional Services

    Restaurant & Hospitality

    Real Estate

    Retail & Consumer

    Technology

  • Perspectives

    Articles & Podcasts

    Case Studies

    Newsletters

  • Careers

    DGC is looking for talented professionals to join our team.
    Learn more 

    Working Environment

    Life @ DGC

    Benefits

    Professional Development

    Student Resources

    View Open Positions

  • Contact Us

    Send a Message

    Office Locations & Directions

  • Client Portal
  • LinkedIn
  • Twitter
  • Facebook
  • About Us

    Where there's unique perspective, there's DGC. 
    Learn more

    • Service Philosophy
    • Team
    • News & Events
    • Community Involvement
  • Services
    • Private Client
    • Business Tax
    Assurance & Accounting
    • Accounting & Business Advisory Services
    • Audit, Review & Compilation
    • Employee Benefit Plan Audit
    • Overhead Rate Audit
    Business Advisory
    • Alternative Dispute Resolution
    • Bankruptcy & Restructuring
    • Forensic Accounting
    • Human Capital Consulting
    • IT Risk Assurance & Advisory
    • Litigation Support
    • Succession Planning
    • Technical Accounting Advisory
    • Transaction Advisory
    • Valuation
  • Industries

    Architecture & Engineering

    Healthcare

    Manufacturing & Distribution

    Not-for-Profit

    Professional Services

    Restaurant & Hospitality

    Real Estate

    Retail & Consumer

    Technology

  • Perspectives

    Articles & Podcasts

    Case Studies

    Newsletters

  • Careers

    DGC is looking for talented professionals to join our team.
    Learn more 

    Working Environment

    Life @ DGC

    Benefits

    Professional Development

    Student Resources

    View Open Positions

  • Contact Us

    Send a Message

    Office Locations & Directions

  • Client Portal
  • LinkedIn
  • Twitter
  • Facebook
DGC and PKF O'Connor Davies Join Forces

Effective January 1, 2022 DGC merged with PKF O’Connor Davies (PKFOD), the 27th largest accounting and advisory firm in the U.S. Click here for more information.

Perspectives

Categories

  • All
  • Articles & Podcasts
  • Case Studies
  • Newsletters
Popular Tags
  • COVID-1992,
  • Coronavirus89,
  • Cybersecurity47,
  • IT Risk Assurance and Advisory40,
  • Tax Reform40,
  • Business Tax36,
  • Private Client36,
  • Paycheck Protection Program32,
  • PPP Loans30,
  • Podcasts26,

SOC 2 Type 1 vs. Type 2: How to Decide?

9/23/2020 Articles & Podcasts

Many service organizations are asked to present their SOC 2 reports but unfortunately, they may not have one and are uncertain whether they should get a Type 1 or a Type 2 report.

The SOC 2 report, developed by the American Institute of Certified Public Accountants (AICPA), is an auditor's report on the controls at an organization relative to security, availability, confidentiality, processing integrity, and privacy. These five domains are known as the Trust Services Criteria and were previously known as Trust Service Principles.

Beyond the scope of the SOC 2, however, there are two different "types" of reports - a Type 1 and a Type 2 report.

SOC 2 Types have to do with the nature and timing of the examination. A Type 1 report is an auditor's examination of control design as of a particular date. The auditor will review how well your controls are designed to meet the criteria of the SOC 2. In a Type 2 examination, the auditor will not only examine how well your controls are designed but will also test how well your controls operated within a given period of time, generally 6-12 months. This difference means the burden of obtaining an unmodified opinion (think a clean bill of health) is considerably more challenging for a Type 2. Not only do you need sufficiently designed controls, but you have to ensure that they operate effectively for the entire audit period.

 

Contents of Type 1 vs. Type 2 SOC 2 Reports

Source: AICPA

 

Type 1 Report

Type 2 Report


 

Section 1

 

1. Description of the system as of a point in time in accordance with the description criteria

 

 

1. Description of the system throughout a period of time in accordance with the description criteria

 

 

 

 

 

 

 

 

 

Section 2

 

2. Management assertion that addresses whether:

  1. The description of the service organization’s system as of a point in time is presented in accordance with the description criteria, and
  2. The controls stated in the description were suitably designed as of a point in time to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria
     

 

2. Management assertion that addresses whether:

  1. The description of the service organization’s system throughout a period of time is presented in accordance with the description criteria,
  2. The controls stated in the description were suitably designed throughout a period of time to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria, and
  3. The controls stated in the description operated effectively throughout a period of time to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trusts services criteria.
     

 

 

 

 

 

 

 

 

Section 3

 

3. The service auditor’s opinion about whether:

  1. The description of the service organization’s system as of a point in time is presented in accordance with the description criteria, and
  2. The controls stated in the description were suitably designed as of a point in time to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria
     

 

3. The service auditor’s opinion about whether:

  1. The description of the service organization’s system throughout a period of time is presented in accordance with the description criteria,
  2. The controls stated in the description were suitably designed throughout a period of time to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria, and
  3. The controls stated in the description operated effectively throughout a period of time to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria
     



Section 4

 

4. Description of the control activities in place as of the point in time

 

 

4. Description of the service auditor’s tests of controls and results thereof

 



Section 5

 

5. Other information provided by the service organization when applicable

 

 

5. Other information provided by the service organization when applicable

 


How do you know which Type is most appropriate for you? More than likely, you will be pushed into a particular direction from customer and prospect requirements. Are you being asked for a Type 2? If not, a Type 1 may suffice. From our experience, your customer's auditors, depending on their industry, may accept a Type 1 for the first year or two. However, most user organizations will eventually want to see a Type 2 report, as it assures them that your control environment was operating effectively throughout the entire year.

If you have questions about which SOC 2 Type may be most appropriate for your organization, please contact a member of your DGC client service team or Nick DeLena, CISSP, CISA, CRISC at 781-937-5191 / ndelena@dgccpa.com. You can also visit our coronavirus web page at dgccpa.com/coronavirus which is frequently updated with new articles and checklists to help you deal with the impact of the coronavirus on you and your business.

If you would like to get alerts and insights like this sent directly to your inbox, sign up here.

Articles & Podcasts
    Cybersecurity, IT Risk Assurance & Advisory, SOC Reports

About the Author

Nick DeLena, CISSP, CISA, CRISC, CDPSE
Nick DeLena, CISSP, CISA, CRISC, CDPSE Partner
More Articles by Nick
Author Profile

About the Author

Nick DeLena, CISSP, CISA, CRISC, CDPSE
Nick DeLena, CISSP, CISA, CRISC, CDPSE Partner
More Articles by Nick
Author Profile
IT Risk News & Notes - July 2020 7/30/2020
SecureWorld Boston Key Takeaways, Panel Clips and Video Message 7/21/2020
Debunking Common Myths of the SOC 2 5/19/2020
Podcast: Why Cybersecurity Risk Assessments Should Not Be Considered Optional 9/9/2019
  • Home
  • About Us
  • Contact Us
  • Careers
  • Privacy
  • Disclaimer
  • Newsletter
  • LinkedIn
  • Twitter
  • Facebook
© 2022 DGC, a division of PKF O'Connor Davies.
All Rights Reserved.

Get alerts and insights
sent directly to your inbox.