Type 1 or Type 2?
One of the many confusing things about getting a SOC audit for your business is deciding which would best help you meet your customers’ needs. Due to confusing naming conventions, you get to pick from a confusing number of options with the most popular being: “SOC 1 Type 1”, “SOC 1 Type 2”, “SOC 2 Type 1” or “SOC 2 Type 2”. For purposes of this post, we will discuss the “Type” only . For SOC reports, the “Type” of the report only tells you the time period that the service organization’s controls were audited and no more.
In a Type 1 report, the service organization’s controls are audited “as of” a point in time (typically, a day). We think of this as something like taking a picture of the family at a holiday. Once you wrangle all of the kids into one place and pose them, you can just keep taking the picture until everyone happens to be smiling. The Type 1 reports work in a similar way – as long as the controls within the service organization are suitably designed and placed in operation at that time, then that is sufficient to get a favorable SOC Type 1 report.
In auditor-speak, suitably designed and placed in operation means that the service organization has Policies and Procedures in place, and from those a set of controls has been performed at least once that will be reviewed as part of the audit. During the audit process, the auditor will perform a “walk through” of the controls and observe evidence that each control has been performed at least once, hopefully gaining comfort that this is how things should be going forward.
Let’s say you have a control that states that “the chief button pusher presses the red button each day”. The auditor would review the color of the button that is pressed and obtain some evidence that the red button was indeed pushed on that day. The auditor would not check a sample of other days to determine whether this is a one off event or if the button pusher actually pushed buttons reliably.
While a Type 1 report can give a service organization’s customers some level of assurance that they are performing controls as expected, it does not provide any assurance over the service organization’s consistency regarding that control. Knowing that, Type 1 reports are often used as stepping stones for organizations as part of the path to obtaining their Type 2 report as a way of demonstrating compliance to their customers. The other area where we see Type 1 reports used on an annual basis are for service organizations that focus on small to midsize businesses that are not publicly owned. SOX requirements necessitate public companies to have assurance over service organizations for a period of time and not just a point in time.
In a Type 2 report, the service organization’s controls are audited over a period of time for a minimum of six months to up to a year. Going back to the picture analogy, instead of taking a posed picture, you would instead take a video of everyone posing which would allow you to identify who was making funny faces. The Type 2 report works in a similar way, requiring that controls are suitably designed, placed in operation and operating effectively during the specified audit period.
In auditor speak, suitably designed, placed in operation and operating effectively takes what is done in the Type 1 report (suitably designed and placed in operation) and builds upon it by determining the operating effectiveness of the control. During the audit process, the auditor will perform a “walk through” of the control (just like the Type 1) and once he/she determines that it is suitably designed and placed in operation, then the auditor will perform additional testing to conclude that it was also operating effectively during the audit period. This testing typically takes the form of taking a sample of the population of instances of the control and reviewing evidence to determine that the control was operating effectively.
Going back to our button pushing example, the auditor would first become content about the color of the red button and determine that it was pressed on a particular day. Then, to test the operating effectiveness of the button pusher’s daily red button pushing, the auditor would select a sample of days (expect about 25 days to be chosen at random) and review evidence that the red button was in fact pushed each of those days. This would allow the auditor to conclude that the button pusher indeed pushed the button daily over the entire audit period.
As you can see, Type 2 reports provide a higher level of assurance of how well controls are working at a service organization over a period of time. Larger companies as well as companies that know what they are asking for will ask service organizations to provide a Type 2 report as it is a much higher bar to in which to jump. As a service organization, we have found that the biggest leap between the Type 1 and Type 2 reports is the ability to document and evidence what the service organization is doing in a way that it can be reviewed afterward.
TL;DR (Too Long; Didn’t Read) – Which do I pick?
The most important thing for a service organization to remember is that getting a SOC audit performed is to meet its customers needs. Thus, in most cases, the variety and Type of report should be based on what is asked of them. Here are a couple quick ways to determine which Type is best:
- Your customer only asks for a Type 1.
- Your customer asks for a Type 2, but you’re not confident that you can evidence the operating effectiveness of your controls (or you are a very new organization with a new product/platform). If the customer does not want to wait for the minimum six months for the Type 2 report, we typically suggest going through a Type 1 immediately and following that up with a Type 2 after the controls have been operating for six months.
- Your customer asks for a Type 2. The customer is always right!
- Your customer asks for a Type 2, but you’re not ready for one. Get a Type 1 and follow it up with a Type 2 when you’re ready.