SOC Reports: Type 1 vs Type 2 vs Readiness Assessment

Your client requested a SOC report, but what’s next? For organizations seeking a SOC 1, SOC 2, or ISAE 3402, there are two attestation options available: Type 1 and Type 2. Additionally, a readiness assessment can be performed to prepare your organization for the attestation.

Our experienced assessors break down the options, so the path to compliance is clear between SOC Type 1 vs Type 2.

Readiness Assessment

A readiness assessment measures and examines how prepared your organization is for a Type 1 or Type 2 assessment. Used for internal purposes, this assessment provides your organization with a greater understanding of the demands of a SOC audit. The deliverables include a listing of your current controls, as well as an identification of recommendations that should be implemented to enhance your environment prior to the full assessment.

Type 1 Report

With a Type 1 report, your organization’s controls are assessed at a specific point in time. This report acts as a snapshot of your environment to determine and demonstrate if the controls are suitably designed and in place. For example, we will take an example terminated employee and confirm that their access was properly revoked and documented via a ticketing system.

A Type 1 report has the following characteristics:

  • Description of your organization’s system as a whole
  • Assesses the design of your organization’s internal controls
  • Tests a specific point in time

A-LIGN recommends organizations who have never completed a compliance or cybersecurity assessment before, start their compliance journey with a Type 1 report, and later move on to a Type 2 in the following audit period.

Type 2 Report

For a Type 2 report, your organization’s controls are assessed over a period of time, typically a twelve-month review period. Unlike a Type 1 report, Type 2 acts as a historical review of your environment to determine and demonstrate if the controls are suitably designed and in place, as well as operating effectively over time. The audit process will include sample testing within the review period to determine if your organization’s controls are operating effectively. For instance, we will take a sample of employees from the population of terminated personnel and confirm that their access was properly revoked and documented via ticketing system during the agreed-upon review period.

A Type 2 report has the following characteristics:

  • Description of your organization’s system as a whole
  • Assesses the design of your organization’s controls, as well as their operating effectiveness
  • Focuses on a period of time in which the controls are operating
  • Features detailed descriptions of the auditor’s tests and test results of the controls

Since a Type 2 report is more granular and comprehensive than a Type 1 report, it often provides your clients with a higher level of assurance.

Migrating from Type 1 to Type 2

Many organizations use the successful completion of a Type 1 report as the start of the review period’s clock. Once the desired review period’s time has elapsed, A-LIGN will re-engage with your organization and conduct the historical testing to complete the Type 2 report.

Our assessors provide these simple, actionable tips for a smooth transition between report types:

  • Review audit opinion from the Type 1 report
  • Remediate and implement necessary and additional controls
  • Document controls with appropriate evidence for review
  • Consistently inspect controls for proper execution (internal random sampling/testing prior to the audit period)
  • Ensure education/training is provided for new controls implemented after the Type 1 assessment

If you would like more information regarding specific report types or need assistance in preparing for a SOC 1, SOC 2, or ISAE 3402 assessment, contact the professionals at A-LIGN at info@a-lign.com or call 1-888-702-5446 for more information.