Service organization control (SOC) reports can be either a Type 1 or a Type 2 report. A Type 1 report is management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design of controls. A Type 2 report goes a step further, where the service auditor also reports on the operating effectiveness of those controls. The differences between the reports are:
A Type 1 report describes the procedures and controls that have been installed, while a Type 2 report provides evidence about how those controls have been operated over a period of time.
A Type 1 report attests to the suitability of the controls being used, while a Type 2 report contains an opinion regarding the operating effectiveness of those controls over the audit period.
A Type 1 report describes procedures and controls as of a specific point in time, while a Type 2 report covers how the controls have been operating during the audit period.
An auditor of a firm that is using a service organization to conduct certain operations on its behalf (such as payroll processing) will typically request one of these reports in order to gain some degree of assurance regarding the efficacy of the system of controls put in place by the service organization.
Both reports can assist the auditor in identifying and assessing the risk of material misstatement, but a Type 1 report does not provide evidence concerning the operating effectiveness of controls. A Type 2 report may offer little audit evidence when there is little overlap between the period covered by the report and the period being audited.