SOC2 TYPE 1 TYPE 2 Assessments (USA)

SOC 1 is an engagement performed under SSAE 16 in which a service auditor reports on controls at a service organization that may be relevant to user entities’ internal control over financial reporting. The scope of a SOC 1 report should cover the information systems that are utilized to deliver the services under review. There are two types of SOC 1 reporting options:

A SOC 1 report is for service organizations that impact or may impact their clients’ financial reporting.
A SOC 2 report is for service organizations that hold, store or process information of their clients, but is not significant to financial reporting
Type 1 report just provides a report of procedures/controls an organization has put in place as of a point in time. A Type 2 report has an audit period and provides evidence of how an organization operated its controls over a period of time. It is important to understand that there are not more stringent control requirements in a Type 2 SOC Report; but rather, it describes how a company’s control environment operated over its audit period (typically not less than six months). We can have the same controls in a Type 1 report as the Type 2; the only difference is that they are audited or examined over a period of time and testing results are reported in a SOC 1 and SOC 2 report.
SOC 1 is an engagement performed under SSAE 16 in which a service auditor reports on controls at a service organization that may be relevant to user entities’ internal control over financial reporting. The scope of a SOC 1 report should cover the information systems that are utilized to deliver the services under review. There are two types of SOC 1 reporting options:

• SOC 1 Type 1: A design of controls report. This option evaluates and reports on the design of
  controls put into operation as of a point in time.
• SOC 1 Type 2: Includes the design and testing of controls to report on the operational
  effectiveness of controls over a period of time (typically six months).

A SOC 2 report is an engagement performed under the AT section 101 and is based on the existing SysTrust and WebTrust principles. This report will have the same options as the SSAE 16 report where a service organization can decide to go under a Type 1 or Type 2 audit. However, unlike the SSAE 16 audit that is based on internal controls over financial reporting, the purpose of a SOC 2 report is to evaluate an organization’s information systems that are relevant to security, availability, processing integrity, confidentiality or privacy. The criteria for these engagements are contained in the Trust Services Principles Criteria and Illustrations. Organizations asked to provide an SSAE 16, but do not have an impact on their clients’ financial reporting, should select this reporting option.