Get in touch
info@canadiancyber.ca
Abdul Samad Saleem
March 26, 2025
Explore the essentials of SOC 2 compliance with our in-depth guide to Type 1 and Type 2 report structures. Learn how Type 1 evaluates control design at a single point in time, while Type 2 assesses both design and operating effectiveness over months. From auditor opinions to real-world examples like Provectus and Upollo, this newsletter breaks down each section and highlights key differences for service organizations.
A SOC 2 Type 1 report is a point-in-time assessment that evaluates the design of a service organization’s controls as of a specific date. It does not test the operating effectiveness of those controls over time. The structure typically includes the following sections:
Written by the independent auditor, this section provides their opinion on whether the description of the system is fairly presented and if the controls are suitably designed to meet the applicable Trust Services Criteria (e.g., Security, Availability) as of the specified date. Example opinion types:
A letter from the service organization’s management asserting that the system description is accurate and that the controls are suitably designed as of the specified date. It outlines the scope of the report and management’s responsibility for the controls.
A detailed narrative provided by management about the organization’s system, including services, infrastructure, software, people, processes, and controls in place. Covers components like system boundaries, sub-service organizations (if applicable), and how the system aligns with the Trust Services Criteria.
A list of the controls evaluated during the audit, tied to the relevant Trust Services Criteria. Unlike Type 2, this section does not include testing procedures or results since Type 1 focuses only on design at a single point in time.
Additional details provided by management, such as responses to exceptions (if any) or context about the organization’s operations. This section is not audited but included for clarity.
A SOC 2 Type 2 report assesses both the design and operating effectiveness of controls over a period of time (typically 6-12 months). It builds on the Type 1 structure but adds detailed testing and results. The structure includes:
The auditor’s opinion on whether the system description is fairly presented, the controls are suitably designed, and the controls operated effectively throughout the specified period. Similar opinion types apply:
Management’s statement asserting the accuracy of the system description, the suitability of control design, and the effectiveness of controls over the audit period. Specifies the review period (e.g., July 1, 2024, to December 31, 2024).
Same as Type 1: a detailed overview of the system, including services, infrastructure, and controls, aligned with the Trust Services Criteria. May include changes to the system that occurred during the audit period.
The core difference from Type 1: this section lists all controls, describes the auditor’s testing procedures (e.g., inquiry, observation, inspection), and provides the results of those tests. Results indicate whether each control operated effectively or if exceptions/deviations were noted. Presented in a detailed table or narrative format, making this the longest section of the report.
Similar to Type 1, this may include management’s responses to exceptions or additional context. It’s unaudited but provides further insight.
SOC 2 reports are typically confidential and shared under NDA, but some companies have made theirs publicly available. Below are links to SOC 2 Type 1 and Type 2 reports from various organizations, including small to medium-sized enterprises (SMEs), which serve as real-world examples:
These reports demonstrate the structural differences outlined above, with Type 1 reports focusing on design at a specific moment and Type 2 reports including detailed testing over a period. Notably, SiteCare, Trisk, and Kolide represent SMEs, offering insight into how smaller organizations approach SOC 2 compliance.
The SOC 2 Type 1 and Type 2 reports linked in this section were publicly available on the internet at the time of writing. We are not affiliated with the companies mentioned (e.g., Provectus IT, Inc., Upollo, SiteCare, Trisk, Kolide by 1Password) and have not independently verified the accuracy, authenticity, or completeness of these reports. These links are provided solely for illustrative purposes as examples of publicly posted SOC 2 reports. We are not liable for any inaccuracies, errors, or omissions in these documents, nor do we endorse the companies or their services. The inclusion of these reports does not imply that we obtained them from any private or proprietary source; they were sourced from publicly accessible locations.
