Question 35
UnclassifiedWhich of the following BEST describes the difference between a Type 1 and a Type 2 SOC report?
Correct answer: D
Explanation
A Type 1 SOC report addresses whether controls are suitably designed at a specific point in time, while a Type 2 SOC report also tests whether those controls operated effectively over a period. In other words, Type 1 focuses on "design," and Type 2 includes "operating effectiveness."
Why each option is right or wrong
A. There is no difference between a Type 2 and a Type 1 SOC report.
B. A Type 1 SOC report provides an attestation, whereas a Type 2 SOC report offers a certification.
C. A Type 2 SOC report validates the suitability of the control design, whereas a Type 1 SOC report validates the operating effectiveness of controls.
D. A Type 2 SOC report validates the operating effectiveness of controls, whereas a Type 1 SOC report validates the suitability of the design of the controls.
Under the AICPA SSAE 18 SOC reporting framework, a Type 1 report is limited to the service organization’s system description and the suitability of the design of controls as of a specified date. A Type 2 report covers the same design assessment but also includes tests of controls over a defined review period, so it is the one that evidences operating effectiveness rather than design alone.