<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1977396509252409&amp;ev=PageView&amp;noscript=1">

SUITE OF SERVICES services menu

Hamburger-menu.png
MobileSearchIcon.png
Brightline-BlogBanner.jpg

THE SCHELLMAN ADVANTAGE BLOG

< BACK TO BLOG HOME

brightline-responds.jpg

SOC 2 Type 1 and Type 2: A Quick Overview

Written by DEBBIE ZALLER on Jun 22, 2015

Can you provide a quick overview on what a SOC 2 examination is and the difference between a Type 1 and Type 2 report?

In early 2011, the AICPA issues its Service Organization Control (SOC) reporting framework. The purpose of this framework is to differentiate between the common types of AICPA reports that service organizations are expected to provide to their customers. A SOC 2 report, titled “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” is designed to meet a broad set of reporting needs about the controls at a service organization in the form of a CPA firm’s independent attestation report.The scope of a SOC 2 report is determined by the client and the auditor utilizing one or more of the Trust Service Principals (TSP's), discussed above, as specified by the client to determine whether an information system operated by the client utilizes sufficient control activities to meet the specified criteria for the selected principles. The client also specifies whether a “Type 1” or “Type 2” examination will be performed for the SOC 2 report.

BrightLine performs a “Type 1” SOC 2 examination when management requires a report on the fairness of presentation of the service organization’s system and the suitability of the design of controls as of a specified date.

A “Type 2” SOC 2 examination is performed when management requires a report on the fairness of presentation of the service organization’s system and the suitability of the design and operating effectiveness of controls over a period of time. The resulting report is a restricted use report that should only be used by third parties sufficiently familiar with the system.

Topics: SOC

DEBBIE ZALLER

MEET THE WRITER

DEBBIE ZALLER

PRINCIPAL AND SOC 2 PRACTICE LEADER

Debbie is Principal and co-owner at Schellman & Company, LLC. She began her career in 2000 while working at Arthur Andersen in their Technology Risk Assurance practice. Debbie now leads the Midwest Region along with the Privacy, SOC 2 and SOC 3 service lines and is also on the AICPA’s SOC Specialist Task Force. She is responsible for internal training, methodology creation, and quality reporting. Debbie was a past member of the Florida Institute of Certified Public Accountants’ Board of Governors and served on the Finance and Office Advisory Committee. She also served on the AICPA’s Advanced SOC for Service Organizations Certificate Task Force.

COMMENTS