Do I Need a SOC 1 Type I or a SOC 1 Type II?

by Joseph Kirkpatrick / June 14th, 2019

If you’ve been asked to demonstrate SOC 1 compliance, you’ll need to determine what exactly is being asked of you. For example, do you need a SOC 1 Type I or SOC 1 Type II audit? Do you need both? Let’s take a look at the difference between a SOC 1 Type I and SOC 1 Type II audit and how you can determine which is most suitable for your organization’s compliance efforts.

What’s the Difference Between a SOC 1 Type I and SOC 1 Type II?

Understanding the difference between a SOC 1 Type I and SOC 1 Type II is simple; it comes down to the audit period. While both a SOC 1 Type I and SOC 1 Type II report on the controls and processes at a service organization that may impact their user entities’ internal control over financial reporting, the main difference between the two types of audits is the period in which the auditor verifies the effectiveness of internal controls. For example, if an organization opts to engage in a SOC 1 Type I audit, the auditor will assess their controls and processes that could impact their user entities’ ICFR for a specific point in time. On the other hand, if an organization wants to pursue a SOC 1 Type II audit, the auditor will assess their controls and processes that could impact their user entities’ ICFR over a period of time.

What Type of SOC 1 Audit Do I Need?

The type of SOC 1 audit your organization needs depends on your organization’s compliance goals. Has a client asked for a SOC 1 audit? Did they specify which type of SOC 1 audit you need? In many cases, clients will not specify which type of audit they want you to have. In these instances, we always recommend that organizations begin with a Type I audit and then move onto a Type II audit, if needed. Why? Because beginning with a Type I audit allows your organization and your auditor to focus on the design and implementation of your internal controls, whereas a Type II requires additional time, testing, and resources that might make the audit process more challenging if you’ve never reviewed your internal controls before.

Want to learn more about the difference between a SOC 1 Type I and SOC 1 Type II or how KirkpatrickPrice can help you with your SOC 1 compliance objectives? Contact us today.

More SOC 1 Resources

Understanding Your SOC 1 Report Video Series

SOC 1 Compliance Checklist: Are You Prepared for an Audit?

How to Read Your Vendors SOC 1 or SOC 2 Report?

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

When I get asked about SOC 1 Type I and SOC 1 Type II audits, I usually tell clients, “It’s going to come down to what your client is asking for.” Is your client specifically requiring you to go to the Type II, which many times will come after doing a Type I the first time. We’ve seen clients that have simply been required to do a Type II first, but if your client isn’t specifying that, because many times they’ll just tell their clients that they need to do a SOC 1 audit or an SSAE 18 audit. In other words, it will just be broad like that in their request. If this is the case, you have the luxury of starting with a SOC 1 Type I report. The benefit of starting there is that it allows you to focus with your auditor and work with your auditor on the description of your controls and the suitability of the design of those controls and really focus on that and getting those controls in place. That’s the threshold for a SOC 1 Type I report. What happens with a SOC 1 Type II report is that there is additional time spent testing, because in addition to those things, the auditor also has to test operating effectiveness over a period of time. It takes extra time and resources to do that because you need some time to make sure that the controls were in place and operating for a period of time. So, if a client is requiring you to go there first, then that’s the best approach to spend the time there to do the SOC 1 Type II audit, but if at all possible, try to start with the SOC 1 Type I audit so that you can focus on each step individually.

[/av_toggle]

[/av_toggle_container]