SOC Reports: Differences Between Type I and Type II Reports

As consistent with SAS 70 audits, service organizations can obtain Type I or Type II reports for both SOC 1 and SOC 2 audits.

Since the SOC 3 report must cover a defined period of time, which is generally at least a six month audit period, and the resulting output is an opinion letter only, a Type I or Type II designation does not apply.

The following matrix compares Type I and Type II SOC reports.

[table id=2 /]

Type I

It is issued…generally only once during the first year of engagementIt covers…the design of the service organization’s internal control environmentIt includes…an opinion from an independent service auditor and a description of the organization’s controlsThe reporting period is…as of a particular point in time (e.g., as of September 30, 2014)

Type II

It is issued…annually typically after a Type I report has been issuedIt covers…the design and the operating effectiveness of the service organization’s internal control environmentIt includes…an opinion from an independent service auditor, a description of the organization’s controls and results of tests of controlsThe reporting period is…over a defined period of time, which is generally at least a 6 month audit period (e.g. January – June 2015)

Was this helpful? Share to your network.

Article Category: