SOC 2 Type 1 and Type 2: A Quick Overview
Can you provide a quick overview on what a SOC 2 examination is and the difference between a Type 1 and Type 2 report?
In early 2011, the AICPA issues its Service Organization Control (SOC) reporting framework. The purpose of this framework is to differentiate between the common types of AICPA reports that service organizations are expected to provide to their customers. A SOC 2 report, titled “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” is designed to meet a broad set of reporting needs about the controls at a service organization in the form of a CPA firm’s independent attestation report.The scope of a SOC 2 report is determined by the client and the auditor utilizing one or more of the Trust Service Principals (TSP's), discussed above, as specified by the client to determine whether an information system operated by the client utilizes sufficient control activities to meet the specified criteria for the selected principles. The client also specifies whether a “Type 1” or “Type 2” examination will be performed for the SOC 2 report.
Schellman performs a “Type 1” SOC 2 examination when management requires a report on the fairness of presentation of the service organization’s system and the suitability of the design of controls as of a specified date.
A “Type 2” SOC 2 examination is performed when management requires a report on the fairness of presentation of the service organization’s system and the suitability of the design and operating effectiveness of controls over a period of time. The resulting report is a restricted use report that should only be used by third parties sufficiently familiar with the system.
About DEBBIE ZALLER
Debbie Zaller is a Principal at Schellman & Company, LLC. Debbie leads the SOC 2, SOC 3 and Privacy service lines and is also an AICPA-approved and nationally listed SOC Specialist. As practice leader she is responsible for internal training, methodology creation and quality reporting. Debbie also leads the firm’s Midwest market. Debbie has over 20 years of IT compliance and attestation experience. Debbie was on the AICPA Task Force for the Advanced SOC for Certification Exam, was a member of the Florida Institute of Certified Public Accountants Board of Governors and served on the Finance and Office Advisory Committee.