SOC 1 reports are primarily used to provide your client’s auditors with information and our opinion about your organization’s controls which may be relevant to your clients’ internal control over financial reporting. There are two types of SOC 1 reports:
A Type 1 report provides your client’s auditors with:
- A description of your organization’s systems
- Our opinion on the fairness of the description
- Our opinion on the suitability of the design of the controls to achieve the control objectives included in your description
This report is of a specific point in time and does not provide your clients’ auditors with any assurance about the effectiveness of your organization’s controls. As a result, your clients’ auditors may need to perform additional testing of your systems. This type of report may be the best option if you have not previously issued a SAS 70 or SOC 1 report.
A Type 2 report has all of the elements of a Type 1 report, but takes you one step further:
- We provide our opinion on the operating effectiveness of your organization’s controls relative to the specified control objectives.
- Operating effectiveness is evaluated over a period of time (usually six months or more of operations).
Your clients’ auditors can use this kind of report as audit evidence that your organization’s controls are operating effectively.