SOC 1 & 2 Report Types

SOC 1 and SOC 2 offer two types:

​

• Type 1 - Suitability of the "Design of Controls" 

• Type 2 - Suitability of the Design and "Effectiveness" of the Controls 

​

There's two primary differences in the SOC report type.  1) a type 1 report is an evaluation of the controls for a service organization at a "point in time" not over a period of time.  2) a type 1 report does not involve the testing of the control effectiveness (does the control work?) by the service auditor.  Whereas, a type 2 report covers a period of time (usually 1 year) and includes details of test results performed by the service auditor.

​

Needless to say, a type 2 report is considered to provide more assurance to report users than a type 1.  Primarily due to the testing of controls and validation that controls operated effectively over a period of time.

​

You may ask..  "why be assessed for a type 1 report, if a type 2 report is more widely requested by report users?".  The most common reason is for those organizations that are undergoing a SOC assessment for the very first time.  First time SOC clients most likely do not have all of the controls identified and operating for a specified period of time.  The first step to SOC certification, is to prepare by identifying the scope or boundaries of the system (service), selecting and implementing controls to satisfy either Trust Services Criteria (TSC) for SOC 2 or develop and implement controls based on an internal control framework for a SOC 1.

 

Once the controls are designed, implemented and are operating effectively, the service organization can request a type 2 assessment.  1st Secure Compliance can prepare your organization for both types of report with a SOC Readiness Assessment.  Once the Readiness Assessment has been completed, the organization is well-positioned to have a type 1 report issued, which will provide report users valuable information in the interim of receiving the type 2 assessment..