SSAE 16 SOC 2: Differences Between Type I and Type II Reports

One of the challenges that we have when it comes to consulting with our clients on SSAE 16 is the confusion that comes with the different reports and types of reports. In last weeks blog post, we outlined what the key differences are between a SOC 1, SOC 2, and a SOC 3 report. This week, we are going to focus specifically on the SSAE 16 SOC 2 reports and discuss what the differences are between a Type I and a Type II report. Before we dig into the differences, let me quickly summarize what we are going to cover in this post as a follow up to last weeks post. 

As you might recall, SOC stands for Service Organization Controls, and the SOC 2 focuses on the internal controls at an organization related to compliance or operations, wrapped around the 5 Trust Principles (Security, Confidentiality, Processing Integrity, Availability, and Privacy). Depending on your organization and your business, some or all 5 of the Trust Principles would be in scope. When a CPA Firm provides the attestation on those 5 Trust Principles, they will issue either a SOC 2 Type I or a SOC 2 Type II report. These reports are very different in nature and are very confusing. Hopefully by the end of this post we will be able to demonstrate the differences a little more clearly and eliminate some of the confusion around what exactly these reports are.

• SOC 2 Type I Report - This report is a report on management's description of a service organizations system and the suitability of the design of controls. What does that mean in English? Essentially what this means is that a SOC 2 Type I report looks at a point in time at the system that is in scope, how the management of the organization describes the system, and what controls are in place around that system. The key to this specific report is that it is a point in time, or an "as of" date. An auditor will issue an opinion based on managements description of the controls and review of the documentation around these controls. 
• SOC 2 Type II Report - This report is similar in nature to the Type I report as it provides a report on managements description of a service organizations system and the suitability of design and operating effectiveness of controls. For a SOC 2 Type II report, the controls are described and evaluated, for an absolute minimum of 6 months, to determine if they are functioning as they are described by management. An auditor will test the controls and issue an opinion based on the description by management versus the operating effectiveness of the controls. 

So there you have it. There are several difference between a SOC 2 Type I and a SOC 2 Type II report but the biggest ones are the testing of the controls (operating effectiveness) and the length of time as the SOC 2 Type II takes much longer to complete. ***On a side note, while you can evaluate the operating effectiveness of the controls for a minimum of 6 months, you can go longer (12 months) as well.***

The SSAE 16 SOC 2 Report process sounds confusing, mostly due to the similar terminology that is used to identify the reports. If you are just getting started on the SSAE 16 SOC 2 report process and aren't sure where to start, contact us for a no cost consultation!