When to Choose a SOC 1 vs SOC 2 Report

By Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner

When to Choose a SOC 1 vs SOC 2 Report

By Scott M. McAuliffe, CPA, CISA, CFE | Risk Advisory Services Partner

Part 3 of a 4 Part Series on SOC Reporting

Should My Service Organization Get a System and Organization Control (SOC) Type I or Type II Report?

Questions that service organizations often ask as they are trying to navigate the SOC report process for the first time are:

  • What is the difference between a SOC 1 and SOC 2 report?
  • Is that the same thing as a Type I and Type II report?
  • What report do I need?

SOC 1 vs SOC 2: What’s the Difference?

The first answer is SOC 1 and SOC 2 has a different meaning than Type I and Type II. To gain an understanding of SOC 1 and SOC 2 reports, see the first article in our series on whether or not your service organizations needs a SOC 1 or SOC 2 report.

Regarding whether Type I and Type II reports are the same and what report you need is dependent on why you are getting the report and the timeframe in which you need the report.

What is a Type I Report?

A Type I report provide auditor assurances related to the accuracy of the described services/processes, systems, and controls but does not include testing of controls to demonstrate the controls were working properly over a period of time. Since testing is not performed, these reports can be completed and provided to a customer much quicker than a Type II report.

With that said, because testing of controls is not included, they often do not meet the needs of a service organization’s customers. A service organization’s customers will normally want to see that the controls are working over a period of time. Due to that fact, service organizations that choose to obtain a Type I report are often under a tight time constraint to provide the report to a customer or prospective customer. In most cases, the Type I will only be performed once for a service organization and then it will move to a obtaining a Type II report.

What is a Type II Report?

A Type II report includes auditor assurances related to the accuracy of the described service/processes, systems, and controls, as well as whether controls were working properly over a period of time. Generally, these reports cover a year-long period and are re-performed annually.

In certain cases, a service organization might use a six-month period for its first report (to meet a customer’s timing requirement) and then move to a year-long period. In most cases, the service organization will want the reporting period to end within two months of December 31. Reasons being, that most of their customer’s probably have December 31 year-end dates and therefore, want to have the SOC report cover as much of their fiscal year as possible. For the remaining months not covered by the report, the service organization might be asked to provide a letter (referred to as a bridge letter) to its customer indicating the controls were still working properly after the SOC report date.


Are you considering a SOC report and trying to figure out the right report for you? Keiter’s team of Risk Advisory Services professionals can help you. Email | Call: 804.747.0000

Access all of our articles in our SOC Reporting series

 

Share this Insight:

About the Author


Scott M. McAuliffe

Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner

Scott leads the Firm’s Risk Advisory Services practice, which focuses on providing internal audits, cybersecurity and information technology consulting, Sarbanes-Oxley assistance and System and Organization Controls (SOC) Exams. Scott focuses on providing his clients with cost effective solutions to build strong, efficient internal control systems/practices that support their strategic objectives. In 2021, Scott achieved the Cybersecurity Maturity Model Certification (CMMC) Registered Practitioner (RP) status in order to provide CMMC services to Department of Defense prime and subcontractors.

More Insights from Scott M. McAuliffe

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.

Categories

Contact Us