Written by: Kayleigh Fitzpatrick
In our previous article, we discussed how SOC 1 and SOC 2 reports can be issued as a Type 1 or Type 2. A Type 1 report assesses the design of the service organizationโs controls, while the Type 2 report assesses the design, implementation, and operating effectiveness of the service organizationโs controls. When we speak to organizations about the types of SOC reports available, we are commonly asked the question, โHow will the testing and level of effort vary between a Type 1 report and a Type 2 report?โ Today, we will discuss what to expect when undergoing testing for these reporting options.
Testing For A Type 1 Report
The testing performed by your auditor for a Type 1 report will be to determine if the controls detailed in your system description are properly designed and implemented. These reports require the least amount of testing effort compared to the Type 2 reports. From a testing perspective, your auditor will review the system description and meet with management to validate whether the controls described in the system description are accurate. Your auditor will also seek to confirm the implementation of these controls by requesting and reviewing policies, user lists, and configurations from monitoring tools and other systems, as well as example occurrences of controls.
For instance, your system description may illustrate that background checks are performed for all new hires. In this case, your auditor will confirm the design of this control by speaking to the responsible individuals. The auditor will also request and review policies and procedures that govern the process and review an example completed background check to validate control implementation. A similar thought process can be applied to other controls, such as policy acknowledgments and the completion of training for your organizationโs new hires.
For another example, letโs consider how testing would be completed for a monthly user access review control in a Type 1 report. If an organization states they have a process in place to review user access monthly, the design of this control could be tested by inquiring with responsible management about the process and reviewing policies and procedures that govern the process. The auditor would request recently completed user access reviews for the in-scope technologies. Then, the auditorโs review will be purely limited to this single instance, since they are only assessing the design and implementation of the control.
Testing For a Type 2 Report
The testing performed by your auditor for a Type 2 report involves determining if the controls detailed in your system description are properly designed, implemented, and operating effectively. These reports require a higher level of effort and time compared to the Type 1 report. From a testing perspective, your auditor will review the system description and meet with management to validate that the controls illustrated in the system description are accurate. Your auditor will also seek to confirm the implementation of the described controls by requesting and reviewing policies, user lists, and configurations from monitoring tools and other systems. Finally, your auditor will be required to randomly sample control occurrences to confirm operating effectiveness. The random selections are made 100% by the auditor, and your organization will not have the ability to dictate what selections are made.
Now, letโs consider how the background check example would differ for a Type 2 report. Similar to Type 1, your auditor will still meet with management to understand the process and request applicable policies and procedures to confirm the implementation of the control. In addition, your auditor will need to look at a sample of new hires across the reporting period, rather than just one example new hire. Utilizing sampling allows the auditor to identify whether the control operated effectively over the defined period of time. With sampling, the auditors would obtain a population of all employees that were hired during the audit period with the number of occurrences, determining how many instances must be sampled (as auditors have defined sampling methodologies that have to be followed). Your auditor will then make the necessary random selections and provide you with the list of new hire background checks they want to see. These will then need to be provided to the auditor for review, or a time will need to be scheduled to allow the auditor to observe each completed background check.
To revisit the monthly user access review example above, the same thought process can be applied with a Type 2 report. Your auditor will ask to discuss the process followed for the reviews and request any policies and procedures that guided these reviews. Then, your auditor will ask to be provided with the completed user access reviews for the designated in-scope technologies for these sampled months (generally 2-4 months will be picked assuming the report covers a 12-month period). Lastly, for each sampled month, the auditor would look to confirm the user access review was completed and documented for each in-scope technology.
Conclusion
In summary, it is vital to understand that you can have the same controls in a Type 1 report and Type 2 report. The main difference in these reports will be the amount of testing performed, since a Type 2 requires more time and resources for testing to be completed. This additional time is a result of the need to test operating effectiveness and providing your auditor with their random sample selections. Although the level of effort may be greater, it is well worth the commitment. A Type 2 report is a stronger report that will surely please your customers and potential prospects.
If you have any questions regarding your organizationโs SOC reporting requirements, reach out to a member of our SOC team today!
