The SOC Audit Process: Tackling Type I and Type II Reports

by Sarah Harvey / February 10th, 2020

So you’ve decided whether you need a SOC 1 or a SOC 2 audit…what’s next? You need to decide where you’ll begin the SOC audit process. With a gap analysis? What are the SOC report types? A Type I? A Type II? Let’s discuss KirkpatrickPrice’s method for completing Type I and Type II audits.

SOC Report Types: Type I and Type II FAQs

No matter the SOC report types needed (SOC 1 or SOC 2), there are a few common questions we receive from service organizations going through the SOC audit process for the first time, and they involve deciding between SOC report types.

Do I need a Type I or a Type II report?

The key difference between a Type I and Type II report is the attestation on the operating effectiveness of controls. A Type I report is an attestation about controls at a service organization at a specific point in time, and a Type II report is an attestation about controls at a service organization over a period of time. Observing controls over a period of time allows for verification that controls are suitably designed and operating effectively – whereas a Type I report attests that controls are suitably designed and implemented.

Many questions about the SOC report types depend on what your client is asking for. If they are satisfied with a Type I report, you may elect to undergo that audit and stop there. If you’re undergoing these audits to be proactive, we recommend getting a Type II report – but this doesn’t always mean you skip the Type I.

Do I have to go through a Type I audit before a Type II audit?

It is not a requirement to go through a Type I audit before you go through a Type II audit – but it is our recommendation. Gaining a Type II attestation on your very first audit will be a difficult process for your team – you have to be prepared to show your policies, controls, objectives, and commitment to compliance, all while establishing that your controls have been operating effectively for at least six months. Going through a Type I audit first gives you the opportunity to learn how the SOC audit process works, establish your control objectives, learn where your areas of weakness are, and discover what you need to improve before the Type II audit. We have found that when a service organization rushes to get a Type II report, the final result isn’t as valuable as it would be if they had prepared better for the audit.

Want to hear from a client that received both SOC report types within a year? Read about Sigstr’s SOC 2 journey here.

Do I need to go through a gap analysis before the Type I? What about the Type II?

Whenever any organization goes through any audit for the first time, we strongly recommend starting with a gap analysis. By starting the SOC audit process with a gap analysis, our auditors can identify any operational, reporting, and compliance gaps in your organization and advise you on strategies for remediation. Gap analyses compare what you’re doing to what regulations require of you. Once you receive the results of the gap analysis, your organization can remediate any identified gaps before the audit begins.

For a first time SOC audit, a basic audit map may be: a gap analysis first, then the Type I audit, then the Type II audit. If you elect to skip the Type I, you can still choose to go through a gap analysis before the Type II audit. In some cases, organizations have thought they should skip the Type I audit, but after receiving their gap analysis results, they thought it would be wise to undergo the Type I before the Type II.

What happens if I fail the Type I?

SOC audits do not work on a pass/fail system. The purpose of a SOC report is to provide user entities with reasonable assurance that their controls are suitably designed and operating effectively. Instead of passing or failing your organization, an auditor will issue a qualified or unqualified opinion. Understanding reasonable assurance changes your pass/fail mindset to considering how an auditor would assess specific controls. Would an auditor see that these controls are suitably designed? Would we achieve reasonable assurance? If an auditor determines that a control was not in place or effective, then a qualified opinion would be issued. This would sound something like, “Except for Control X, reasonable assurance is there. The controls have been suitably designed and operating effectively.” An unqualified opinion means there are no qualifications or significant exceptions being issued and reasonable assurance has been determined.

KirkpatrickPrice’s Type I and Type II Process

Because so many service organizations are completing a SOC audit at the request of a client, many are on a strict timeline for the SOC audit process. That is why, at KirkpatrickPrice, we’ve developed a streamlined SOC audit process to get service organizations through a gap analysis, Type I, and Type II audit in a faster way, but without losing quality. By electing to undergo both a Type I and Type II audit, we actually give you more resources to help your team make SOC audit process more valuable. No one should have to begin a Type II audit unprepared because of timelines.

Contact us today and let’s talk about how we can partner together to get you through the SOC audit process and achieve your compliance goals.