What is SOC 1 Type 2?


April 10, 2023

Author: Stytch Team

A mint green "SOC 1" icon floating in an orbit of cybersecurity related icons – locks and keys, HIPAA, etc.

How organizations prove security strength and trustworthiness when it comes to financial reporting

If you’re working as or with a company that handles sensitive financial data, at some point you’re going to need to ask for — or you’re going to be asked for — a SOC 1 Type 2 report.

When this occurs, it helps to know what to expect from a SOC 1 report, how it differs from other SOC reports, and why it’s a good idea for any service-providing organization to have their report up-to-date and at the ready.

So, let’s break it all down, starting with the basics.

What is a SOC report, exactly?

SOC stands for system and organization controls, formerly service organizations controls. At the broadest level, SOC refers to a suite of reports issued and overseen by the American Institute of Certified Public Accountants (AICPA).

To receive any SOC report, a service provider — or any organization that handles potentially sensitive customer data and documents, including user entities’ financial statements, health records, and any other private or confidential information — must pass a SOC examination or audit conducted by an independent, third-party CPA.

Types of SOC reports

There are three general categories of SOC reports. Each reporting option is subject to distinct AICPA auditing standards, which are outlined in their Statements on Standards for Attestation Engagements (SSAE).

SOC 1 reports

SOC 1 reports are financial in scope. They mainly concern what AICPA refers to as the “controls at a service organization relevant to user entities’ internal control over financial reporting.”

In simpler terms, a SOC 1 report evaluates the systems, policies, and procedures that a financial service organization uses to manage and protect their customers’ financial data. How these systems work, and how well they work, will directly affect customers’ internal controls over financial reporting (ICFR).

In a SOC 1 audit, key control objectives are identified and tested for both information technology (IT) and business processes around the specific services an organization provides their customers.

SOC 2 reports 

SOC 2 reports deal with a service organization’s internal controls around operations and compliance. They test in five specific areas that are laid out in the AICPA’s Trust Services Criteria (TSC):

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

The security criteria (also called the common criteria) are the only required elements when it comes to SOC 2. Otherwise, the main difference between SOC 1 and SOC 2 reports is that, in a SOC 2 report, an organization can choose which other criteria to include in an audit. 

SOC 3 reports

SOC 3 reports are far less common. They cover much of the same ground as SOC 2 reports, but with a less comprehensive approach.

Typically, a SOC 3 report omits details around the specific controls at a service organization and the results of any SOC examinations. That also means that, unlike a SOC 2 report, a SOC 3 report can be publicly shared. For example, a service organization can post its SOC 3 report on their website or distribute it to potential clients as a marketing asset.

SOC for cybersecurity

More recently, as cyberattacks have increased in both frequency and sophistication, AICPA has developed a new SOC for Cybersecurity report. This report examines a service organization’s system as it relates to their risk management program and online security practices.

Type 1 and Type 2 reports

Each of the above SOC categories can be further broken down into Type 1 and Type 2 reports. While each report type includes similar parameters, there are a few key differences between them.

A Type 1 (or Type I) report evaluates the design of a service organization’s system and its ability to achieve the related control objectives included in the audit, as of a specified date.

A Type 2 (or Type II) report assesses both the design and operating effectiveness of a service organization’s system and its ability to achieve related control objectives over a specific period of time — usually six months.

In short, a Type 2 report sets a higher bar by examining not only the design of a service organization’s system, but also its performance. Furthermore, Type 2 reports cover a longer audit period, ensuring that a service organization’s controls work reliably and consistently.

There are times when a service organization might pursue a Type 1 report on its own — like if they are pressed for time and just need to prove that they have certain controls in place. But generally, Type 2 reports are seen as the standard to which service organizations should be held.

Meeting control objectives and criteria

It should be noted that SOC reporting allows for flexibility in terms of how exactly different objectives and criteria are met.

For example, when evaluating controls related to cybersecurity, any combination of safeguards and authentication methods — from passcodes to biometrics — can be used to fulfill necessary criteria.

Why is a SOC 1 Type 2 report important?

Putting the above points together, a SOC 1 Type 2 report attests not only that a given service organization has the right controls over financial reporting in place, but that an objective auditor has confirmed that those controls are performing reliably and effectively.

In other words, it goes beyond mere compliance. A SOC 1 Type 2 report is a stamp of approval from a recognized regulatory body verifying that a service organization can be trusted to maintain the security and integrity of their customers’ financial data.

When should you ask a service organization for a SOC 1 Type 2 report? (Or, when might you be asked to provide one?)

SOC 1 report checks are a key ingredient in strong organization vendor management programs. Ideally, you should ask to see evidence of a valid SOC 1 Type 2 report any time you outsource a financial service to a third-party vendor.

For example, if you rely on an external partner or platform to handle your payroll processing, the way they handle your payroll data will have a direct impact on your own financial reports and processes. You want to know that they have solid policies and procedures in place to handle your data accurately and responsibly.

Similarly, if you handle financial services on other companies’ behalf, you want to be able to demonstrate the same — and you should have evidence of your own SOC 1 certifications ready to go.

It’s not just a best practice and part of being an ethical business partner; it’s a key selling point for your organization as you work to stand out from the competition.

The bottom line

A SOC 1 Type 2 report demonstrates that a service provider has the right controls in place to manage financial data on behalf of their customers and to handle that data properly.

Obtaining and presenting these certifications should be standard practice for all financial service organizations, and making this a universal practice will help us to build safer and more transparent partnerships when it comes to sharing sensitive data online.

Learn more

Stytch is committed to supporting secure, frictionless digital experiences, from robust authentication solutions to fraud and risk prevention strategies.

If you want to learn more about how SOC 1 and SOC 2 reports contribute to your online security — or what they might mean for your organization — reach out to one of our data experts, and get your questions answered.


Get started with Stytch