If you are being asked to obtain a System and Organization Controls (SOC) report by your existing user entity or a potential user entity, you may question whether you should obtain a SOC 1, SOC 2, or SOC 3 report. You may also wonder whether it should be a Type 1 or a Type 2 report (also known as Type I or Type II SOC reports).
If you are a service provider that is considering your first SOC audit to satisfy an existing or potential user entity request, it may benefit you to understand the difference between the SOC reports and their report types, specifically a Type 1 audit report and a Type 2 audit report, as well as when you should choose one over the other. This article will help you to understand these reports and their types.
What is a SOC Report, & Why Do You Need One?
SOC audit reports are provided by service organizations to their user entities in lieu of multiple user entities performing individual audits over the services being provided. Service organizations provide outsourcing services that impact the control environment of their customers. The controls at the service organization that cover the services being provided to the user entity are examined by an independent, third-party auditor to determine whether they are suitably designed and operating effectively to reliably provide the service commitments made by the service provider. A SOC report establishes trust, credibility, and a competitive advantage for the service organization and its service delivery.
What are the Different SOC Reports?
There are different SOC reports available and their purpose is described below.
SOC 1 – A SOC 1 report is provided by the service organization to the user entity when their controls are relevant to the user entities’ internal control over financial reporting. The service organization defines the service offering scope and control objectives. Learn more from our blog on What is a SOC 1 Report?
SOC 2 – A SOC 2 report provides information about the controls at a service organization relevant to the data processed and stored by the service provider’s system and the five trust services criteria categories as noted below:
The SOC 2 report is not significant to the user entity’s internal control over financial reporting. For additional information, check out this blog: What is a SOC 2 Report?
SOC 3 – A SOC 3 report is a short form, general use report that gives users and interested parties a report about controls at a service organization related to security, availability, processing integrity, confidentiality, and/or privacy. Unlike a SOC 2 report, there is no description of tests of controls and results which limits its usability.
Both the SOC 2 and SOC 3 provide a standard benchmark for which the service organization is measured against under the trust services criteria. The SOC 1 and SOC 2 reports are not general use reports like a SOC 3 report, but are generally restricted to the service organization and their user entities and the user entities’ auditors. The ability to share a SOC 3 report is not restrictive which makes it a great marketing tool.
SOC for Cybersecurity – This report examines an entity’s cybersecurity risk management program and assesses the effectiveness of controls within that program.
Similarities Between Type 1 & Type 2 SOC Reports
There are several similarities between the report types. Both report types provide the user with an overview of the service organization’s system in place utilized by the user entities. Controls and processes are designed to achieve the control objectives (SOC 1) or trust services criteria (SOC 2) that, in aggregate, form the basis for how the service organization reliably provides the delivery of services to its user entities.
Individual internal controls are linked to these control objectives or trust services criteria that provide the process the service organization undergoes to ensure the achievement and reliable performance of the services provided. There are typically multiple controls linked to a control objective or trust services criteria. A description is also included of the complementary user entity controls required to be in place at the user entity for the entire system of controls to work in aggregate and function properly as intended.
Additionally, a management’s assertion from the service organization is provided that addresses the description of the service organization’s system and whether the controls are suitably designed to provide reasonable assurance over the service commitments and system requirements to meet the stated control objectives or trust services criteria.
What is the Difference Between a Type 1 & Type 2 SOC Report?
The main difference between the two types of reports is within the coverage and depth of the audit procedures performed.
What are Type 1 SOC Reports?
A Type 1 SOC report is as of a point in time (e.g., September 30). It only covers the design effectiveness of the internal controls that help to meet the control objectives or trust services criteria over the outsourced services that are provided to user entities and for which they are relying upon from the service organization. The Type 1 audit report attests to the suitability of the internal controls and validates the sufficiency of the controls in aggregate to meet the achievement of the control objective or trust services criteria described.
A readiness assessment can be performed for the service organization to understand if their existing controls are adequate for compliance or what recommendations should be implemented prior to the Type 1 SOC assessment.
What are Type 2 SOC Reports?
A Type 2 SOC report covers a period of time, typically twelve months (e.g., October 1, 2019 – September 30, 2020). This type of audit report covers the design of the internal controls as well as the operating effectiveness of the internal controls over time that help to meet the control objectives or trust services criteria over the outsourced services provided to the user entities. A Type 2 SOC engagement provides reasonable assurance that the controls were designed and operated effectively to meet the service organization’s control objectives or trust services criteria over the service delivery during the period of time under review.
A Type 2 SOC report is more comprehensive than a Type 1 report and provides a greater level of audit assurance. A Type 2 SOC engagement effectively addresses the same subject matter as a Type 1 SOC engagement; however, a Type 2 SOC report goes further in that it contains an opinion on the operating effectiveness of controls over the time they were operating and provides a detailed description of the tests of controls performed by the service auditor as well as the results of those tests. The results of those tests will indicate whether the control performed without audit exception or else the exception noted will be documented in the service auditor’s report.
When Should You Obtain a Type 1 vs Type 2 SOC Report?
If this is your first foray into obtaining a SOC report, whether a SOC 1 or SOC 2 report, these are the two attestation options available, either a Type 1 or a Type 2. It is generally best to obtain a Type 1 audit report initially before moving on to the more comprehensive Type 2 audit report. This approach allows the service organization to understand the audit process and the audit requirements in order to set expectations of what will be required to undergo a Type 2 audit report. Additionally, there may be more risk in having exceptions to the operational effectiveness of the controls when the first SOC report is a Type 2, particularly if the service organization does not already have strong consistent processes in place that meet the objectives or the trust services criteria.
A Type 1 audit report helps the service organization to implement the discipline necessary to successfully complete an unqualified Type 2 audit report. At least six months must elapse in order to have a Type 2 audit report because this type of audit report covers a period of time and how the controls as designed have operated over that period of time. A Type 2 audit report generally covers a period between six months and one year.
When existing or potential user entities are looking for assurance that a service provider has a SOC report, obtaining the Type 1 audit report initially is a great way to show commitment while the organization is setting internal expectations and preparing for the more comprehensive Type 2 audit report.
For the SOC report to be relied upon by user auditors, the SOC report should cover a minimum reporting period of six months. This is only achieved through a Type 2 audit report because it covers a period of time. A Type 2 audit report provides the user entity and the user entity auditors with a higher level of assurance for them to rely on. Once a Type 2 audit report is completed, the service organization will continue repeating the Type 2 thereafter.
Summary
Summary of Different SOC Reports
If the services provided to the user entity impact their internal controls over financial reporting, then a SOC 1 report should be sought. A SOC 2 report covers the trust services criteria over the security, availability, processing integrity, confidentiality, and/or privacy of the user entity’s data being processed or stored by the service organization. A SOC 3 report is not as comprehensive as a SOC 2 report and less restrictive for distribution. SOC for Cybersecurity is a report that examines an entity’s cybersecurity risk management program and related controls.
Summary of Type 1 and Type 2 SOC Reports
Type 1 SOC reports present the auditors’ opinion regarding the accuracy and completeness of management’s description of the system or service as well as the suitability of the design of controls as of a specific date. It does not test whether the controls are operating effectively over time. Type 2 SOC reports include the Type 1 criteria AND audits the operating effectiveness of the controls throughout a disclosed period of time, generally between six months and one year. It describes the tests performed of the controls and the test results.
Do You Need Assistance with SOC Reports?
If you are seeking a SOC report and need assistance in deciding what SOC report to obtain and whether to obtain a Type 1 or a Type 2 audit report, please contact us at Linford & Company. We have a team of IT audit professionals that routinely complete Type 1 and Type 2, SOC 1 audit reports (f. SAS 70 / SSAE 16), and SOC 2 audit reports on behalf of service organizations all over the world. Our team is available to answer any questions you may have to effectively address your audit needs and assist you in achieving SOC compliance.
Additional reading:
- Who Can Perform a SOC Audit?
- Sharing SOC Reports
- How Long Does a SOC Examination Take?
- Advantages of Hiring a Small Firm for Your Audit
Becky McCarty has over 20 years of experience in internal controls, audit, and advisory services. She specializes in SOC 1 and SOC 2 examinations for Linford & Co., LLP. Becky completed a Bachelor’s degree in Business Administration (Accounting) and a Master of Science degree in Management Information Systems. She worked 6 years with KPMG LLP commencing in 1999, worked several years in the energy industry, and joined Linford & Co., LLP in 2018. Becky also served 9 years on the Board of Directors for a home healthcare nonprofit. She works closely with clients so that the examinations are performed efficiently and with minimal disruption while ensuring performance in accordance with professional guidance. She enjoys helping clients successfully achieve the requirements for their SOC compliance efforts based on their objectives and/or applicable trust services criteria.