In a previous article, we described the differences between SOC 1 reports and SOC 2 reports. Once an organization decides to pursue a SOC 1 or SOC 2 report, the next decision it will need to make is whether it will complete a Type 1 examination or a Type 2 examination. We can start by defining the scope of each type of examination:
A Type 1 examination is an evaluation of the design of controls and the fairness of the presentation of the organization’s system description. A Type 1 report provides assurance about whether controls are in place as of a point in time.
A Type 2 examination is an evaluation of the design of controls, the fairness of the presentation of the organization’s system description and an evaluation of the operating effectiveness of the controls over a period of time. A Type 2 report provides assurance about whether controls were working as designed during the report period, typically 6-12 months.
Since a Type 2 report includes control testing over a period of time, it provides users of the report a greater degree of assurance whether an organization has an adequate control environment. For this reason, the Type 2 report is what most users request, and expect to receive.
That’s not to say a Type 1 report isn’t useful. The main reason that an organization would choose to obtain a Type 1 report is because there is a desire to get a report issued quickly, often due to contractual requirements. Since the auditor’s procedures represent a single point-in-time, the report can be issued within a few months, whereas a Type 2 report requires testing the controls for the in-scope period in order for the service auditor to conclude whether the controls were operating effectively during the period. A second, although much less common reason, is the organization’s users find that the content of a Type 1 report is acceptable for their needs.
Some organizations may perform a Type 1 examination for their first SOC report in order to get a report in their users’ hands more quickly, and then transition to a Type 2 report for subsequent reporting periods. When producing a Type 1 report, organizations should be prepared to answer questions about whether they are planning to produce a Type 2 report and when they expect that to occur.