By Scott M. McAuliffe, CPA, CISA, CFE | Risk Advisory Services Partner
Part 3 of a 4 Part Series on SOC Reporting
Should My Service Organization Get a System and Organization Control (SOC) Type I or Type II Report?
Questions that service organizations often ask as they are trying to navigate the SOC report process for the first time are:
- What is the difference between a SOC 1 and SOC 2 report?
- Is that the same thing as a Type I and Type II report?
- What report do I need?
SOC 1 vs SOC 2: What’s the Difference?
The first answer is SOC 1 and SOC 2 has a different meaning than Type I and Type II. To gain an understanding of SOC 1 and SOC 2 reports, see the first article in our series on whether or not your service organizations needs a SOC 1 or SOC 2 report.
Regarding whether Type I and Type II reports are the same and what report you need is dependent on why you are getting the report and the timeframe in which you need the report.
What is a Type I Report?
A Type I report provide auditor assurances related to the accuracy of the described services/processes, systems, and controls but does not include testing of controls to demonstrate the controls were working properly over a period of time. Since testing is not performed, these reports can be completed and provided to a customer much quicker than a Type II report.
With that said, because testing of controls is not included, they often do not meet the needs of a service organization’s customers. A service organization’s customers will normally want to see that the controls are working over a period of time. Due to that fact, service organizations that choose to obtain a Type I report are often under a tight time constraint to provide the report to a customer or prospective customer. In most cases, the Type I will only be performed once for a service organization and then it will move to a obtaining a Type II report.
What is a Type II Report?
A Type II report includes auditor assurances related to the accuracy of the described service/processes, systems, and controls, as well as whether controls were working properly over a period of time. Generally, these reports cover a year-long period and are re-performed annually.
In certain cases, a service organization might use a six-month period for its first report (to meet a customer’s timing requirement) and then move to a year-long period. In most cases, the service organization will want the reporting period to end within two months of December 31. Reasons being, that most of their customer’s probably have December 31 year-end dates and therefore, want to have the SOC report cover as much of their fiscal year as possible. For the remaining months not covered by the report, the service organization might be asked to provide a letter (referred to as a bridge letter) to its customer indicating the controls were still working properly after the SOC report date.
Access all of our articles in our SOC Reporting series
- Does your service organization need a System and organization Control (SOC) Report?
- How long does it take to get a SOC Report?
- 8 Steps to Prepare for a System and Organization Control Report
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.