July 9, 2012
By Ben Osbrach, National Risk Advisory Leader
Many organizationconfusea TYPE 1 vs TYPE 2 report with the SOC 1 vs SOC 2 standards.
A SOC 1 report is for service organizations that impact or may impact their clients’ financial reporting.
A SOC 2 report is for service organizations that hold, store or process information of their clients, but is not significant to financial reporting (e.g., would not affect their income statement or balance sheet).
Below is an explanation ofTYPE 1 vs. Type 2, as well asbackground information on the different SOC reports. Contact us if you would like additional information.
Questions often ariseregarding the difference between a SOC Type 1 andType 2 report. We wanttoexplain the difference between the different types of reports, as well asthe differentSOC reporting versions.The short answer is that a Type 1 report just provides a report of procedures / controls an organization has put in place as of a point in time. AType 2 report has an audit period and provides evidence of how an organization operated its controls over a period of time. It is important to understand that there are not more stringent control requirements in a Type 2 SOC Report;but rather, itdescribes how a company’s control environment operated over its audit period (typically not less than sixmonths). You can have the same controls in a Type 1 report as the Type 2;the only difference is that they are audited or examined over a period of time and testing results are reported in a SOC 1 and SOC 2 report.
On June 15, 2011, the SAS 70 standard was effectively replaced by SSAE 16 (SOC 1). During this transition period, the AICPA decided to create a new brand for service organization control reports, and it published the SOC reporting standards with threedifferent SOC reports. It is important to understand that a SOC 1, SOC 2 andSOC 3 are not the same reports with different levels. It is common for organizations to think that a SOC 3 report is a higher level than SOC 1;however, that is just not the case.
Below is an explanation of the threedifferent SOC reporting options.
Organizations that were previously required to obtain a SAS 70 can undergo a SOC 1 audit to meettheir clients’ requirements. SOC 1 is an engagement performed under SSAE 16 in which a serviceauditor reports on controls at a service organization that may be relevant to user entities’ internalcontrol over financial reporting. The scope of a SOC 1 report should cover the informationsystems that are utilized to deliver the services under review. There are two types of SOC 1reporting options:
• SOC 1 Type 1: A design of controls report. This option evaluates and reports on the design of
controls put into operation as of a point in time.
• SOC 1 Type 2: Includes the design and testing of controls to report on the operational
effectiveness of controls over a period of time (typically six months).
A SOC 2 report is an engagement performed under the AT section 101 and is based on theexisting SysTrust and WebTrust principles. This report will have the same options as the SSAE16 report where a service organization can decide to go under a Type 1 or Type 2 audit. However,unlike the SSAE 16 audit that is based on internal controls over financial reporting, the purposeof a SOC 2 report is to evaluate an organization’s information systems that are relevant to security,availability, processing integrity, confidentiality or privacy. The criteria for these engagements arecontained in the Trust Services Principles Criteria and Illustrations.Organizations asked to provide an SSAE 16, but do not have an impact on their clients’ financialreporting, should select this reporting option.
A SOC 3 report is an engagement performed under AT section 101 and is also based on thecriteria contained in the Trust Services Principles Criteria and Illustrations. However, unlike theSOC 1 and 2 options, the SOC 3 report does not contain a description of the service auditor’s testwork and results. SOC 3 reports are general use reports and fall under the SysTrust and WebTrustseal programs. Clients that select a SOC 3 report can obtain a SysTrust or WebTrust seal toplace on their website and marketing materials as long as they maintain compliance (i.e.,successfullycomplete a SOC 3 report every 12 months).Organizations whose primary goal is the marketing of their system/product against an industryapproved standard should select this reporting option.
Assurance Concepts is a CPA firm that specializes in providing regulatory compliance and risk advisory services. Our expertise includes SSAE 16 (SAS 70) audits, SOX 404 compliance, SysTrust, WebTrust, HIPAA, ISO 27001 / 27002 and PCI DSS QSA services. Our service deliverymodel is designed to provide unparalleled client service to each of our clients and helpmaximize the long-term value of their audit activities.
