- Cyber Security Services
- Compliance Services
- IT Risk and Audit Services
- Contact Us
One of the challenges that we have when it comes to consulting with our clients on SSAE 16 is the confusion that comes with the different reports and types of reports. In last weeks blog post, we outlined what the key differences are between a SOC 1, SOC 2, and a SOC 3 report. This week, we are going to focus specifically on the SSAE 16 SOC 2 reports and discuss what the differences are between a Type I and a Type II report. Before we dig into the differences, let me quickly summarize what we are going to cover in this post as a follow up to last weeks post.
As you might recall, SOC stands for Service Organization Controls, and the SOC 2 focuses on the internal controls at an organization related to compliance or operations, wrapped around the 5 Trust Principles (Security, Confidentiality, Processing Integrity, Availability, and Privacy). Depending on your organization and your business, some or all 5 of the Trust Principles would be in scope. When a CPA Firm provides the attestation on those 5 Trust Principles, they will issue either a SOC 2 Type I or a SOC 2 Type II report. These reports are very different in nature and are very confusing. Hopefully by the end of this post we will be able to demonstrate the differences a little more clearly and eliminate some of the confusion around what exactly these reports are.
So there you have it. There are several difference between a SOC 2 Type I and a SOC 2 Type II report but the biggest ones are the testing of the controls (operating effectiveness) and the length of time as the SOC 2 Type II takes much longer to complete. ***On a side note, while you can evaluate the operating effectiveness of the controls for a minimum of 6 months, you can go longer (12 months) as well.***
The SSAE 16 SOC 2 Report process sounds confusing, mostly due to the similar terminology that is used to identify the reports. If you are just getting started on the SSAE 16 SOC 2 report process and aren't sure where to start, contact us for a no cost consultation. Also, download our SSAE 16 presentation from our webinar series for more details on the SSAE 16 process and recent changes!