If you are being asked to obtain a Service Organization Control (SOC) report by your existing user entity or a potential user entity, you may question whether you should obtain a Type I or a Type II report.
If you are a service provider that is considering your first SOC audit to satisfy an existing or potential user entity request, it may benefit you to understand the difference between SOC report types, specifically a Type I audit report and a Type II audit report, and when you should choose one over the other.
Similarities Between Type I & Type II SOC Reports
There are several similarities between the reports. Both reports provide the user with an overview of the service organization’s system in place utilized by the user entities. Control objectives are documented that, in aggregate, form the basis for how the service organization reliably provides the service to achieve the service commitments and system requirements utilized by the user entities.
Individual internal controls are linked to these control objectives that provide the process the service organization undergoes to ensure the achievement of those stated control objectives. There are typically multiple controls linked to a control objective. A description is also included of the complementary user entity controls required to be in place at the user entity for the entire system of controls to work in aggregate to achieve the stated control objectives.
Additionally, a management’s assertion from the service organization is provided that addresses the description of the service organization’s system and whether the controls are suitably designed to provide reasonable assurance over the service commitments and system requirements to meet the stated control objectives.
Differences Between Type I & Type II SOC Reports
The main difference between the two types of reports is within the coverage and depth of the audit procedures performed.
Type I SOC Reports
A Type I audit report is as of a point in time (e.g., September 30). It only covers the design effectiveness of the internal controls that help you to meet your control objectives over the outsourced services that you are providing to your user entities and for which they are relying upon from your service organization. The Type I audit report attests to the suitability of the internal controls linked to the control objectives and validates the sufficiency of the controls in aggregate to meet the achievement of the control objective described. A readiness assessment can be performed even before the Type I SOC Report for your service organization to understand their existing controls and recommendations that should be implemented prior to the full Type I SOC assessment.
Type II SOC Reports
A Type II audit report covers a period of time typically twelve months (e.g., October 1, 2017 – September 30, 2018). This type of audit report covers the design of the internal controls as well as the operating effectiveness of the internal controls over time that help you to meet your control objectives over the outsourced services provided to your user entities. A Type II SOC engagement provides reasonable assurance that the controls operated effectively to meet the service organization’s control objectives over the service commitments and system requirements during the period of time under review.
A Type II SOC engagement effectively addresses the same subject matter as a Type I SOC engagement; however, a Type II SOC report goes further in that it contains an opinion on the operating effectiveness of controls over the time they were operating and provides a detailed description of the tests of controls performed by the service auditor as well as the results of those tests. The results of those tests will indicate whether the control performed without exception or else the exception noted will be documented in the service auditor’s report.
When Should You Obtain a Type I vs Type II SOC Report?
If this is your first foray into obtaining a SOC report, whether a SOC 1 or SOC 2 report, these are the two attestation options available, either a Type I or a Type II. It is generally best to obtain a Type I audit report initially before moving on to the more comprehensive Type II audit report. This approach allows the service organization to understand the audit process and the audit requirements in order to set expectations of what will be required to undergo a Type II audit report.
A Type I audit report helps the service organization to implement the discipline necessary to successfully complete an unqualified Type II audit report. Generally speaking, at least six months must elapse in order to have a Type II audit report because this type of audit report covers a period of time. A Type II audit report generally covers a period between six months and one year.
When existing or potential user entities are looking for assurance that a service provider has a SOC report, obtaining the Type I audit report initially is a great way to show commitment while the organization is setting internal expectations and preparing for the more comprehensive Type II audit report.
Another difference between a Type I and a Type II audit report is that for the SOC report to be relied upon by user auditors, the SOC report should cover a minimum reporting period of six months. This is only achieved through a Type II audit report because it covers a period of time. A Type II audit report provides the user auditors with a higher level of assurance for them to rely on.
Type I SOC Report Summary
Presents the auditors’ opinion regarding the accuracy and completeness of management’s description of the system or service as well as the suitability of the design of controls as of a specific date. Does not test whether the controls are operating effectively over time.
Type II SOC Report Summary
Includes the Type 1 criteria AND audits the operating effectiveness of the controls throughout a disclosed period of time, generally between six months and one year. Describes the tests performed of the controls and the test results.
Seeking Assistance with SOC Reports
If you are seeking a SOC report and need assistance in deciding whether to obtain a Type I or a Type II audit report or if you would like more information regarding these report types or a readiness assessment, please contact us at Linford & Company. We have a team of IT audit professionals that complete Type I and Type II, SOC 1 audit reports (f. SAS 70 / SSAE 16) and SOC 2 audit reports on behalf of service organizations all over the world. Our team is available to answer any questions you may have to effectively address your audit needs and assist you in achieving your objectives.