Soc 2 Type I vs. Type II audits: Know the difference
BlogsSOC 2
March 10, 2020

Soc 2 Type I vs. Type II audits: Know the difference

SOC 2 Type 1 vs Type 2: Which should you choose?

Congratulations! Your company must be growing, and potential clients are interested in how you handle their data. A SOC 2 audit is an independent, third-party assessment of your security practices, and it can be a great way to grow your business and assure larger customers of your security.

Before you can undergo the SOC 2 audit, you need to make another choice: a Type I or Type II audit?

What is SOC 2?

SOC 2 is short for “Service Organization Control.” SOC 2 is a standard of security and confidentiality that is designed for service organizations - specifically, service organizations that have contact with their clients’ data. If your organization is SOC 2 compliant, it tells your clients that you have the tools and protocols in place to safely handle their data. There are two types of SOC 2 compliance reports: SOC 2 Type I and SOC 2 Type II.

What is SOC 2 Type 1?

A SOC 2 Type 1 report is a security compliance report that details the systems, tools, and strategies you have in place for keeping your data and clients’ data secure. This type of report is all about detailing your security system at one point in time. It is the most cost-effective type of SOC 2 report because the audit is more succinct than a SOC 2 Type 2 audit.

What is SOC 2 Type 2?

While a SOC 2 Type 1 report is a thorough description of your security system at one point in time, a SOC 2 Type 2 report differs by measuring and reporting on the effectiveness of your security controls over time. In other words, while a SOC 2 Type 1 report explains your plan for security, a SOC 2 Type 2 report explains your plan and also assesses how well it works. This type of report, of course, is more comprehensive and more reliable for clients, so some clients may request it. The process takes longer, though, because it requires months of monitoring to get the documentation this report needs.

Choosing SOC 2 Type 1 vs Type 2

You’ll want to consider three categories – speed, strength, and cost – for your choice:

  1. Speed with which you’d like the SOC 2 completed.

If you need your SOC 2 fast, a Type 1 is likely a better choice, as you’ll receive a report 1-2 months after you’re audit-ready. If there is less urgency, you may choose to skip a Type 1 and go straight to a Type 2.

  1. Strength of the reporting outcomes and how they will serve your company.

A Type 1 report shows that you understand the necessary security procedures. The Type 1 report is issued as of a specific date and represents an auditor’s review and approval of your systems at that moment in time. It’s like your auditor saying, “I checked the company’s security controls on September 30, and everything looked good.”

A Type 2 report shows not only that you understand the necessary security procedures, but that you follow them over a period of time. A Type 2 report is like your auditor saying, “I checked the company’s security controls many times between September 30 and March 30, and everything looked reasonable.” This type of systems review results in audit yields a stronger and more trustworthy report.

  1. Cost of the report to your company.

If you start with a Type 1 report, you may need a Type 2 report as well — which is an additional cost. As noted above, you don’t need to conduct both Type 1 and Type 2 audits in the same year. If a Type 2 is your goal, it is likely more cost-effective to go straight to it and avoid the cost of the Type 1.

Deciding on Type 1 vs or Type 2 for your SOC 2 audit

As you choose between a Type 1 or a Type 2 report, ask yourself these questions:

  • Is our company’s SOC 2 compliance urgent?
  • What level of reporting strength are we seeking to demonstrate?
  • Will we eventually need a Type 2 report?  

If your company is required to demonstrate its SOC 2 compliance, you may find overall that a Type 2 report serves you better. The Type 2 report is the stronger of the two, demonstrating that your security processes and procedures were in place and effective for months.

However, if it’s urgent that you demonstrate SOC 2 compliance, you may choose to produce a Type 1 report. And if you choose a Type 1 report, know you may need to undergo a Type 2 audit in the future.

Written by
No items found.
Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail

PCI Compliance Selection Guide

Determine Your PCI Compliance Level

If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.

When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.

Answer a few short questions and we’ll help identify your compliance level.


Does your business offer services to customers who are interested in your level of PCI compliance?


Identify your PCI SAQ or ROC level

The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.

Good news! Vanta supports all of the following compliance levels:


A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.

Get PCI DSS certified


A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.

Learn more about eCommerce PCI

for service providers

A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.

Use our PCI checklist

Level 1 for service providers

A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).

Automate your ROC and AOC

Download this checklist for easy reference


Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.

The compliance news you need. Delivered securely to your inbox.

Subject to Vanta's Privacy Policy, you agree to allow Vanta to contact you via the email provided for marketing and other purposes