Background
We often get asked the question: “Do I have to do a SOC 2 Type 1 audit before my SOC 2 Type 2, or can I just go straight to Type 2?” and the answer to that is that you do not have to have a SOC 2 Type 1 performed before getting a SOC 2 Type 2 audit done, but there are certain benefits to both approaches. In this article we want to cover some of the differences between these two very similar audits and why you may elect to have a SOC 2 Type 1 audit performed before your Type 2 and why you may decide to move straight into a Type 2.
What is a SOC 2 Audit?
A SOC 2 Audit is an audit conducted against the American Institute of Certified Professional Accountants (AICPA)'s 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. In this audit, a CPA firm will evaluate your system or service against the criteria outlined in that AICPA standard. The final deliverable of a SOC 2 audit is a SOC 2 Report. SOC 2 reports come in two types, a Type 1 and a Type 2.
What is a SOC 2 Type 1 Audit?
During a SOC 2 Type 1 audit, the CPA firm will evaluate your system or service against the criteria as outlined in the AICPA 2017 Trust Services Criteria. Companies meet these criteria by implementing controls. In a Type 1 audit, auditors are only evaluating the design of controls, not whether they are functioning properly. As a SOC 2 Type 1 only tests control design, it makes this determination based on a single day/point in time, called the “As Of” date. The final deliverable of a SOC 2 Type 1 audit is a SOC 2 Type 1 report. In this report, when listing out controls in Section 4 of the SOC 2 report, the report will not disclose the testing performed by the auditor.
What is a SOC 2 Type 2 Audit?
During a SOC 2 Type 2 audit, the CPA firm evaluates an organization’s system or service against the same criteria as a SOC 2 Type 1 audit, in the same way. The primary difference is that a SOC 2 Type 2 tests both the design of the controls an organization implements as well as the operating effectiveness of those controls (which means they test if the controls actually work). For this reason, a SOC 2 Type 2 report must be carried out over a period of time in which the auditor monitors the effectiveness of your controls. The final deliverable of a SOC 2 Type 2 audit is a SOC 2 Type 2 report. In this report, when listing out controls in Section 4 of the SOC 2 report, the report will disclose the tests the auditor performed when testing the operating effectiveness of the controls.
Why would you get a SOC 2 Type 1 Audit?
A SOC 2 Type 1 audit may be performed when it is your first time undergoing a SOC 2 audit. This is because the threshold for evidence is much lower. The auditor is only evaluating the design of your controls, not whether they actually work. For this reason, an auditor may only examine one sample to show that a control is designed appropriately. For instance, if the auditor is testing for daily database backups, they would look to see one example of a database backup. Some auditors may not even test an example, and may only look at your policies to see if your policies state that daily database backups are performed. For the first time you undergo a SOC 2 audit, this is desirable because it can help to identify any obvious gaps in your control environment. And the controls tested in a SOC 2 Type 1 audit are the same controls tested in a SOC 2 Type 2 audit, so a SOC 2 Type 1 audit can serve as a method of preparing for a SOC 2 Type 2 audit. Finally, a SOC 2 Type 1 audit results in a report, which can often be used to provide some information to your customers or prospects who are requesting a SOC 2 Type 2 report. Since a SOC 2 Type 1 report will be delivered faster than a SOC 2 Type 2 report, as it only covers a single day, it can demonstrate to your customers or prospects that you are taking their request seriously and working towards the more rigorous SOC 2 Type 2 report.
Why would you get a SOC 2 Type 2 Audit?
A SOC 2 Type 2 audit is generally what customers and prospects request. So in order to satisfy those requests, companies will often have a SOC 2 Type 2 audit performed. A SOC 2 Type 2 audit is better for providing information to customers and prospects since it discloses what tests were actually performed and the results of those tests. In that way, it provides a higher level of assurance to the readers of the report than a SOC 2 Type 1 audit. Because of this higher level of assurance, the tests performed by the auditor will also be more rigorous. Sticking with the daily database backups from before, in a SOC 2 Type 2 audit, an auditor would test this by selecting a random sample of days within the audit period to confirm that backups of your database were successfully performed on those days. If a backup was not performed on a sampled date, it may lead to an exception, which would be disclosed within the SOC 2 Type 2 report. Since it is what customers and prospects most often request, some companies choose to move straight into a SOC 2 Type 2 audit, without having a SOC 2 Type 1 audit performed. The main benefit to this approach is that it will reduce overall audit costs, since you would only be paying for a single audit vs paying for two audits.
Do we have to do a SOC 2 Type 2 Audit?
There is no requirement to ever move to a SOC 2 Type 2 audit, some companies do have SOC 2 Type 1 audits performed perpetually, but this is uncommon and not recommended since customers/prospects generally do request a SOC 2 Type 2.