What is the difference between SOC 2 Type 1 and SOC 2 Type 2
The AICPA defines a SOC 2 Type 1 report as - a report on the fairness of the presentation of management's description of the service organization's system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
To translate that to layman's terms - Is the company set up for success with its current controls and does the system description accurately reflect the company’s operations?
The AICPA defines a SOC 2 Type 2 report as - a report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
To translate that to layman's terms - Did the company do what it said it was going to do when it said they were going to do it and does the system description accurately reflect the company’s operations?
SOC 2 Type 1
The SOC 2 Type 1 audit looks at one day (point in time) and gives the opinion that everything is set up correctly. The auditor will look at the system description and the controls to make sure that they match the SOC 2 criteria. The auditor will also look at the evidence to verify that the control is in place.
A SOC 2 Type 1 report will give you the peace of mind that you have designed your controls appropriately to meet defined Trust Services Criteria.
SOC 2 Type 2
All the work that you did for SOC 2 Type 1 applies to Type 2. Now you just need to follow those policies and do what you said you were going to do and collect the evidence to prove it. You have moved from the setup mode to the maintenance mode. A Type 2 report is demonstrating that the controls you designed and implemented in Type 1 are now operating effectively over the period chosen for the Type 2 audit.
Usually, the minimum audit period for a SOC 2 Type 2 is 3 months. You should talk with your customers to see if this will meet their needs. You might find one that will only take a minimum of 6 months. If your customers just need a report, then we would suggest going with the shorter period so that you can get out in the marketplace with the report and start winning new customers.
How To Decide What You Need
At the end of the day, your customers are going to want a SOC 2 Type 2 report.
If you need something quick to keep sales conversations going or as an internal milestone then a SOC 2 Type 1 is a great starting point. We would also suggest doing a SOC 2 Type 1 first if you are not using a readiness platform and are trying to do it by yourself. This will make sure that you are set up for a successful SOC 2 Type 2. You would hate to find out after your SOC 2 Type 2 audit period ended that your controls didn’t match the SOC 2 criteria. The SOC 2 Type 1 provides that safety net for you to know you are on the right path.
Deciding to do a SOC 2 Type 1 will not slow you down in obtaining a SOC 2 Type 2. While the audit is being performed on your Type 1 you can start the audit period for Type 2. That way you will already be part way through the audit period by the time you receive the SOC 2 Type 1 report.
The additional cost for a SOC 2 Type 1 report is usually fairly small. Most CPA firms will give you a bundled cost for a Type 1 and a Type 2 that provide the two audits at a significantly lower price.
If none of those cases fit your needs, then we would suggest you go straight for Type 2.
A readiness platform will make sure that all of your controls match the SOC 2 criteria and that you are set up for success.
If your customers will only take a SOC 2 Type 2 and you need something to prove you are taking it seriously and are working on your SOC 2, you can also ask your auditors for an engagement letter to share with your potential customers to show that you are working on your SOC 2 Type 2. That will have enough weight with potential clients to keep sales conversations moving forward.
SOC 2 Compliance Audit Readiness
No matter which path you take, you will end up at the SOC 2 Type 2 report. There isn’t a wrong way to approach it. As you are making your choice, talk to your customers (if you can) and talk to your auditor about what is going on. Your auditor can walk you through both paths and help you make the best decision for your company.
You’re dealing with private data and information, so suffice it to say, yes, a self-audit is a great way to ensure your organization takes its responsibilities for security seriously.
After a SOC 2 compliance self-audit and remediation, your organization is ready for its SOC 2 compliance audit from an experienced and specialized CPA like Johanson Group.
ABOUT JOHANSON GROUP:
Johanson Group, based in Colorado Springs, CO, provides audits and professional services to public and private companies in a variety of industries worldwide.
We serve:
SaaS Start-ups
SaaS Healthcare Organizations
Established SaaS Companies
Government SaaS Organizations
We provide: