SOC reports are critical to the overall success of our third-party risk management. They’re one of the most accurate tools available for gauging how well a vendor’s internal control environment is operating. Additionally, as you likely may be aware, a SOC 1 report is an essential request when a vendor could have an impact on your organization’s financial reporting. But, there are also two variants of SOC 1 reports: Type I and Type II.
Let’s take a closer look at the SOC 1 Type II report
SOC 1 Overview
As we briefly mentioned, a SOC 1 report is designed to review a vendor’s internal controls which relate specifically to financial reporting. Typically, the SOC 1 report will include:
- A description of the controls
- The tests performed to assess them
- Test results
- An expert opinion on the design/operational effectiveness on all of the above.
So, what can you expect when you request a SOC 1 Type II Report?
The SOC 1 Type II report will include:
- Evidence around specific controls that were in place and operating for a period of time (6-12 months)
- Documentation of control design (i.e., information technology, computer operation and data processing controls)
- A description of any significant changes (such as change management)
- Details tests performed and test results around operational effectiveness
- An overall auditor opinion on control effectiveness
SOC 1 Type II reports are typically more comprehensive than a Type I report as they evaluate operational processes and control effectiveness over a specified time (the reporting period) through testing, versus a Type I report that generally verifies controls are in place on a specific date, but doesn’t necessarily test that they are operating effectively.
It’s a due diligence best practice to request comprehensive SOC reports from your third parties: especially your critical and high-risk vendors. If you have any concerns around your vendor’s financial health, your SOC 1 Type II is a great place to start.
Dive deeper into reviewing and understanding your vendor's SOC report. View the interactive guide here.