SOC 1 SSAE 18 Type 1 vs. Type 2 is a common subject area researched by service organizations, as they're searching for credible information relating to the similarities and differences between SOC 1 SSAE 18 Type 1 and Type 2 reporting. And while most service organizations eventually undertake SOC 1 SSAE 18 Type 2 compliance, a SOC 1 SSAE 18 Type 1 assessment is often looked upon as a great starting point for entities new to the world of reporting on controls at service organizations.
SOC 1 SSAE 18 Type 1
Specifically, a SOC 1 SSAE 18 Type 1 assessment is for a specific point in time (i.e., August 27, 20xx), while a SOC 1 SSAE 18 Type 2 report covers a period in time, which is known as the "test period". This test period is generally seen as six (6) months in length, but can also be any number of months necessary for testing of controls. Because of this, many SOC 1 SSAE 18 Type 2 assessments are 6, 8, 10, or even 12 months long.
SOC 1 SSAE 18 Type 2
Thus, for SOC 1 SSAE 18 Type 2, reporting is done on the “suitability of the design and operating effectiveness of controls” for a given period, whereas for SOC 1 SSAE 18 Type 1, there is no testing on the “operating effectiveness of controls”. For an ounce of clarity, just remember that SOC 1 SSAE 18 Type 2 reporting covers a period (generally 6 months, or more), while SOC 1 SSAE 18 Type 1 is merely a snapshot in time – that is – reporting on for a specific date. And also remember that SOC 1 SSAE 18 Type 1 reporting is seen merely as a starting point for service organizations, with the ultimate goal of undertaking SOC 1 SSAE 18 Type 2 reporting procedures.
Understanding the Difference with SOC 1 SSAE 18 Type 1 and Type 2 Audits
But there are similarities also when it comes to SOC 1 SSAE 18 Type 1 vs. Type 2 reporting. Specifically, both the description of the service organization’s “system”, along with a written statement of assertion are required by management for Type 1 and Type 2 reporting. The description of the "system" is essentially the following:
"the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities."
As for the written statement of assertion by management, it's simply a document whereby management of the actual service organization must assert to a number of clauses and provisions relating to the actual SOC 1 SSAE 18 assessment being conducted, either a Type 1 or a Type 2.
Important Points to Know Regarding SOC 1 SSAE 18 Type 1 vs. Type 2
As can clearly be seen, there are differences, but also similarities - but again - it's important to remember the following points regarding SOC 1 SSAE 18 Type 1 vs. Type 2 reporting:
1. SOC 1 SSAE 18 Type 1 reporting is for a snapshot or point in time.
2. SOC 1 SSAE 18 Type 2 covers a "period" for reporting, generally a six (6) month test period, or more.
3. Type 1 reporting is merely just a stepping stone for what's ultimately required by service organizations - Type 2 reporting.
4. Both SOC 1 SSAE 18 Type 1 and Type 2 reporting require the written statement of assertion, along with a description of one’s “system”.
5. Subservice organizations can play an important role in both Type 1 and Type 2 reporting.
Call Christopher G. Nickell, CPA, to receive to learn more about SOC 1 SSAE 18 Type 1 and Type 2 reporting, and to receive a competitive, fixed-fee proposal. He can be reached at 1-800-277-5415, ext. 706.