SOC 1 Type 1 versus Type 2: What type of assurance are you receiving?
First, the basics: Both Type 1 and Type 2 reports provide attestation by the service auditor about the fairness of the presentation of the description of the service organization’s system, as well as the suitability of the design of the controls to achieve the related control objectives stated in the description. Where the reports differ, however, is in the scope of their reporting period and depth of testing. When conducting a Type 1 examination, the service auditor tests (compiles evidence) that the controls specified in the description of the service organization’s system are in operation as of the specific reporting date. During a Type 2 examination, however, a service auditor tests (compiles evidence), via sampling, that the controls were operating effectively during the entire reporting period (not less than six months). Since Type 2 reports cover a period of time, they will also reflect any relevant changes that occurred during the period as well.
When a service organization decides to undergo an initial SOC 1 examination, some will choose to first undergo a Type 1. This is a great starting point for entities new to the world of reporting on controls as many firms may not have the documentation available for the procedures a service auditor performs during a Type 2. Most service organizations will eventually move to the more comprehensive Type 2 examination once they have completed a Type 1 examination.
In the case of a Type 2 examination, it is critical for the reader of the report to evaluate the appropriateness of the period covered by the tests of controls. The SOC 1 report is an auditor-to-auditor communication, with the purpose of providing user auditors with information about controls at a service organization that are relevant to the user entities’ internal controls over financial reporting. The auditors that complete the annual fund audits for investment manager’s, request and review the manager’s SOC 1 report as part of their risk assessment process and planning for their overall audit strategy. It is important to keep in mind that the shorter the period covered by a specific test and the longer the time elapsed since the performance of the test, the less assurance the report may provide. For example, a report on a six-month testing period that overlaps with only one or two months of the user entity’s financial reporting period offers less support for an auditor to rely on than a report in which the testing covers six or twelve months of the user entity’s financial reporting period.
Investment managers are increasingly seeing RFP questions related to SOC 1 exams as these reports are commonly used to perform due diligence on an organization. Similarly, investment advisors are requesting these reports from their key vendors as part of their cyber security due diligence efforts. When relying on these reports, it is imperative to understand the level of assurance and whether the scope of report is applicable to the intended use. For example, an investment manager currently uses Company ABC as their third party vendor for trade settlement. The manager is provided Company ABC’s most recent SOC 1 report that covers their controls related to their fund administration services, which does not cover the relevant controls related to the trade settlement function they engage with Company ABC for, therefore, the report is not appropriate to give a level of assurance over their controls related to trade settlement. Another important element that readers of the report should consider is the complementary user entity control considerations. The AICPA defines these as “controls that management of the service organization assumes, in the design of its service, will be implemented by user entities, and which, if necessary to achieve the control objectives stated in management’s description of the service organization’s system, are identified as such in that description.” The issuer of the report assumes that certain complementary controls are implemented by the user entity, and that these controls are operating effectively. In order for the user of the report to rely on the controls included within, they must evaluate their own internal controls to determine that appropriate risk areas are covered within the report, or within their own internal control structure.
Next time you request an SOC 1 report from vendors or provide an SOC 1 report to prospective or current clients, keep these key points in mind to ensure the assurance provided within the report is applicable and relevant based on your due diligence needs and those of your clients.