Do I need a SOC 1 Type I or a SOC 1 Type II Report?

by Joseph Kirkpatrick / September 22nd, 2017

When considering having a SOC 1 audit performed, there are two different report options available. Knowing whether you need a SOC 1 Type I or a SOC 1 Type II report will depend on your client’s needs and timing constraints.

What’s the difference between a SOC 1 Type I and a SOC 1 Type II report?

A SOC 1 Type I and a SOC 1 Type II both report on the controls and processes at a service organization that may impact their user entities’ internal control over financial reporting. The main difference to note is that a SOC 1 Type I report is an attestation of controls at a service organization at a specific point in time, whereas a SOC 1 Type II report audits controls at a service organization over a period of time (minimum six-month period) in order to attest to the operating effectiveness of the controls.

Do I need a SOC 1 Type I or a SOC 1 Type II Report?

If your client has requested a SOC 1 report from you but doesn’t require a specific type, how do you determine whether you need a SOC 1 Type I or a SOC 1 Type II report? If it’s your first time going through a SOC 1 audit, we commonly advise clients to begin with a Type I and then move to a Type II the following audit period. SOC 1 Type I reports are less constraining than a SOC 1 Type II report. SOC 1 Type I reports also give you the opportunity to work with your auditor on designing controls and ensuring that the description of controls would be fair and accurate in the report.

If you’re required to receive a SOC 1 Type II report, additional testing is necessary to determine that the controls are not only in place, but also operating effectively over a period of time. SOC 1 Type II audits take more time to conduct because you’re looking at controls over a period of time.

It’s important to consider these factors, client needs, and timing constraints, when trying to decide if you need a SOC 1 Type I or a SOC 1 Type II report. If you have questions about which type of SOC report you need or want help demonstrating to your clients your commitment to security and compliance, contact us today.

The type of report that you should receive for your SSAE 16 (now SSAE 18), many times is determined by what your client is asking you to do. Sometimes your request from your client will be an SSAE 18 report, period. There are two types of reports. There’s a Type I and a Type II. If you’ve never done an SSAE 18 report before, it’s a good idea to begin in the first year with a Type I report. If your client is not requiring you to constrain to the Type II report, a Type I report gives you the opportunity to work with the auditor on designing your controls and ensuring that the description of your controls would be fair and accurate in the report. That’s the threshold for a Type I report.

If they are requesting you to do a Type II report, there is additional testing that must take place from the auditor in order to determine that the controls are not only in place, but also operating effectively over a period of time. A Type I is a good place to start because you’re able to address the design and description of the controls as of a certain date, whereas a Type II report takes a little bit more time to conduct because you have to look at those controls having been in place over a period of time. Please consider those factors as you determine if you need a Type I or Type II SSAE 18 report.