Understanding the Difference Between a SOC Type 1 and Type 2 Report

Type 1 Report

A Type 1 report assesses your organization’s controls at a specific point in time, providing a snapshot of your environment to demonstrate that the required controls are suitably designed and implemented. It includes: 

  • A description of your systems as a whole. 
  • An assessment of your organization’s internal control design.

Many businesses who have never completed a SOC audit start with a Type 1 report, later moving on to a Type 2 following the audit period.

Type 2 Report

A Type 2 report assesses your controls over a period of time, usually 12 months. Because this report is more comprehensive than a Type 1 report, it provides a higher level of assurance to your customers. 

Unlike a Type 1 report, Type 2 sample-tests your environment at various points in the review period to determine if the controls are suitably designed, active, and operating effectively over the review period. 

A Type 2 report includes the following:

  • A description of your systems as a whole. 
  • An assessment of your organization’s internal control design, as well as their operational effectiveness.
  • Detailed descriptions of the auditor’s control tests and results.

Transitioning from Type 1 to Type 2

Organizations often use the successful completion of a Type 1 report as the start of the Type 2 review period clock. Once the required time has elapsed, historical testing can be conducted to complete the Type 2 report.

To transition between report types, you must:

  • Review the audit opinion from the Type 1 report.
  • Remediate and implement necessary and additional controls.
  • Document controls with appropriate evidence for review.
  • Consistently inspect controls for proper execution (with internal random sample-testing prior to the audit period).
  • Ensure education and/or training is provided for new controls implemented after the Type 1 assessment.