Understanding the Difference Between SOC 1 Type 1 and Type 2 Reports

What Is a SOC 1 Report?

The American Institute of Certified Public Accountants describes a SOC 1 report as a “report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting.” It delivers informational insights to entities and builds confidence and trust in the delivery processes relevant to internal controls regarding financial reports. Since customers must comply with the audits, SOC testing results can make the audits run smoothly.

The SOC 1 report was originally called a Statement on Auditing Standards no. 70 from 1993 to 2011. The Auditing Standards Board of the AICPA changed the name when it implemented the Statement on Standards for Attestation Engagements No. 16., which created the auditing standard for service organizations. As of May 1, 2017, the AICPA issued the implementation of SSAE 18 to recodify the standards.

A payroll processing company is an example of a service organization that might need a SOC 1 report. The businesses that use the payroll processing service can request an independent guarantee that their documented payroll is handled according to their expectations. SOC 1 reports provide assurance that the payroll processing company’s practices are suitable and effective. Some other service organizations that may need SOC 1 reports are medical claims processors, data centers, software-as-a-service companies and loan servicing companies.

What Is the Difference Between SOC 1 Type 1 and SOC 1 Type 2 Reports?

There are two SOC report types, and each is slightly different. Also referred to as a point-in-time report, the type 1 focuses on a specific date and includes a description of the structure that a service organization uses. It also tests the control system to determine if it’s designed correctly. However, it doesn’t test for operating effectiveness.

The Type 2 report type covers a time period, which is at least six months but usually one year. Along with a description and design test, it also checks the operating effectiveness of internal practices during that scope of time. In any case, the details of a SOC 1 report are restricted to the service organization, requesting customer and auditor.

What About SOC 2 Reports and Types?

The difference with a SOC 2 report is that it’s an audit of the nonfinancial practices of a service organization. These practices relate to the availability, confidentiality, privacy, processing integrity and security of its systems. These are known as Trust Service Principles. The objectives are to provide assurance that these practices are suitable for the companies that use them and that they achieve proper protection for client data.

Like with SOC 1 reports, the differences between SOC 2 Type 1 vs Type 2 reports are the same. A SOC 2 Type 1 report provides evidence of service suitability for a specific date but doesn’t test effectiveness. On the other hand, a SOC 2 Type 2 report is evidence of suitable management for a minimum of six months and attests to their effectiveness.

Similar to SSAE 18 SOC 2 reports, other tests can be used to assure internet users and provide transparency and protection from damaged data, lost sales and security leaks. Based on the TSPs, the SysTrust report focuses on the availability, integrity and security of systems. A WebTrust report also tests confidentiality, privacy and non-repudiation. The certification can be seen on websites to show consumers that they’re in compliance with the TSPs.

Where to Get More Information

Learning the difference between SOC 1 Type 1 and Type 2 reports and others can be a time-consuming endeavor. Certified TrustNet professionals can provide more clarification and provide guidance when choosing the right reports.