Updated: Feb 16
Within SOC reporting, there's SOC 1 and SOC 2, and each have Type 1 and Type 2 reports. Type 1 is design-only, like a photograph at a point in time of what your control practices are. Type 2 is like the movie that covers a period of time showing changes over time and that you continually apply those practices. Read about SOC 1, SOC 2, SOC 2+ and SOC 3 in our post on SOC Report Types.
All businesses are looking for the most cost effective approach. Why spend more than what’s necessary, particularly when it comes to a “compliance” activity? Many businesses see it as a “tick-the-box” where the cost, in terms of both external fees and internal time investment, is best minimised.
The industry standard approach to SOC reporting is to first issue a Type 1 report to confirm the design of your control practices, followed by a Type 2 report to confirm the ongoing operating effectiveness. Most customers or end users expect the Type 2 reports to be provided on an annual basis to confirm ongoing effectiveness with continuous coverage. The first Type 2 period usually starts from the day after the Type 1 report date. But the SOC reporting approach, dates and period(s) are flexible for the business to decide. This should be informed by end users expectations and requirements.
Why should you do a Type 1 report prior to Type 2?
There’s five reasons, but let’s start with the one most people care about; cost.
It’s perhaps a misconception that the total costs are higher from doing a Type 1 report first. On face value it’s an “extra” report that incurs costs, that can otherwise be skipped when proceeding straight to Type 2. So skipping it saves costs, right?
Not necessarily. A rule of thumb is that a Type 2 report costs 50% more than a Type 1 report. For illustrative purposes let’s say the fees are $20k for Type 1 and $30k for Type 2. Here’s how it plays out in practice:
ClientX (Type 1 first) - The average timeline has clients achieving SOC "compliance" in 6 months, and issuing a Type 1 report in about 7-9 months. That’s then followed by a 12 month Type 2 report.
Total 2 year costs: $75k
ClientY (Type 2 first) - Clients pursuing Type 2 first may similarly achieve SOC in 6 months. They often do their first Type 2 reporting period for only 3-6 months, otherwise it leaves a long time period before there’s any report to share with customers. That means issuing the first Type 2 report in about 9-12 months. It's then followed by a 12 month second Type 2 report.
Total 2 year costs: $90k
In that simple example, it shows how costs are actually higher when proceeding straight to Type 2 reports because a Type 1 report is lower cost and can replace a Type 2 report for year-1 of SOC reporting. That's also excluding the Readiness Review that is usually required prior to a Type 2 live audit period if the Type 1 is not performed. That review generally exceeds $10k.
2. CONFIDENCE IN YOUR COMPLIANCE
When we say “compliance”, we mean the control practices in place satisfy the SOC criteria (SOC 2) or control objectives (SOC 1), and are being applied in a consistent manner with audit evidence retained. A benefit of Type 1 reports is the flexibility during the audit where “issues” can be identified and resolved prior to issuing the report. These aren't reported as issues in the report as it's a snapshot at the point in time that compliance is achieved.
Going straight into a Type 2 period - without a Type 1 audit first - typically a Readiness Review is conducted prior to the “live” reporting period. This is not a full audit with all the steps to issue a SOC report, so it doesn’t give the same level of comfort. This approach is more likely to result in issues in the first SOC report. If no Readiness Review is conducted it's especially prone to issues as audit evidence may not be retained to prove your controls and that is identified during an audit process.
A Type 1 report can be issued at least 3-6 months earlier than a Type 2 report. This is because a Type 2 report covers a period of time that needs to pass prior to performing the audit and issuing the report. The SOC standards suggest a minimum period of 6 months, but some audit firms provide reports for 3 months for first time SOC reporting clients.
If your end users are pushing to get a SOC report in the near future, or it’s key to winning new sales, then obtaining the Type 1 report at an earlier time may be better!
4. BUSINESS IMPACT
The audit process requires involvement from the business. The first audit always requires a bit of extra work while the business and auditor build a mutual understanding.
Undergoing Type 1 prior to Type 2 spreads out that business impact, as the Type 1 requires less audit testing. For Type 1, auditors test any one sample of each control practice to confirm the design effectiveness. For Type 2, auditors obtain populations, select and test multiple samples. A Type 1 report paves the way for the Type 2 without tackling it all at once.
5. BETTER COVERAGE
When proceeding to a Type 2 directly, the report usually covers a period of 3-6 months. Otherwise, it takes too long to get your first SOC 2 report to demonstrate compliance. In 3-6 month Type 2 reports, it's common to have "disclosures of non-occurence" where the controls have not been applied as they weren't relevant in that timeframe. This includes controls like new joiners, incidents, and activities performed on an annual basis like penetration tests. These disclosures are not "issues" in the report; but they do undermine the assurance your customers receive. In contrast, when you issue a Type 1 report first, your customers are generally satisfied with that and will wait for the SOC 2 Type 2 report with coverage of a full 12 month period.
6. CONTINUED IMPROVEMENT
In a Type 1 audit, some things are deemed “adequate” based on their design, that may not "enough" in a Type 2 audit as the auditor also needs to sign off the operating effectiveness. The benefit of this is enabling a continual improvement approach. This may be setting a minimum bar initially and revising and improving it over time to give the business time to adjust and find what works best.
We always recommend to our clients to start with a Type 1 report prior to Type 2. Some of our clients (~10%) still choose to proceed straight to Type 2 and that’s fine too.