Can you provide a quick overview on what a SOC 2 examination is and the difference between a Type 1 and Type 2 report?
In early 2011, the AICPA issues its Service Organization Control (SOC) reporting framework. The purpose of this framework is to differentiate between the common types of AICPA reports that service organizations are expected to provide to their customers. A SOC 2 report, titled “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” is designed to meet a broad set of reporting needs about the controls at a service organization in the form of a CPA firm’s independent attestation report.The scope of a SOC 2 report is determined by the client and the auditor utilizing one or more of the Trust Service Principals (TSP's), discussed above, as specified by the client to determine whether an information system operated by the client utilizes sufficient control activities to meet the specified criteria for the selected principles. The client also specifies whether a “Type 1” or “Type 2” examination will be performed for the SOC 2 report.
Schellman performs a “Type 1” SOC 2 examination when management requires a report on the fairness of presentation of the service organization’s system and the suitability of the design of controls as of a specified date.
A “Type 2” SOC 2 examination is performed when management requires a report on the fairness of presentation of the service organization’s system and the suitability of the design and operating effectiveness of controls over a period of time. The resulting report is a restricted use report that should only be used by third parties sufficiently familiar with the system.