Type 1 and Type 2 Audit Report
There are two types of reports, SOC 2 and SOC 3. But there are a few key differences:
- The type of report: SOC 2 offers both Type I and Type II reports. SOC 3 reports are always Type II reports.
- Both SOC 2 and SOC 3 reports follow the SSAE 18 standards set by the AICPA. This means that both reports involve a AICAP registered CPA audit and a lot of testing of an organization’s security controls.
Level of details
- SOC 2 Type 1 & Type 2 reports are popular for service organizations. The SOC 2 Type 2 Reports show how controls are in place to protect the needs of their clients.
- The SOC 3 Type 2 reports only contain the auditor’s opinion, management assertion, and system description.
- SOC 2 reports are known as restricted-use reports. The SOC reports are intended for a specific audience only. User entities, service organization management, or other specifically named parties would read a SOC 2 report.
- SOC 3 Type 2 reports can be distributed publicly, and the SOC 3 audited organisations can use the SOC 3 audit report for marketing purposes.