The Core Difference: Design vs Operating Effectiveness
SOC 2 Type I and Type II are fundamentally different reports, not just longer or shorter versions of the same thing. The distinction is important when deciding which to pursue first, what to prepare, and what management must assert.
| Dimension | SOC 2 Type I | SOC 2 Type II |
|---|---|---|
| What is assessed | Design of controls at a point in time | Design AND operating effectiveness over a period |
| Audit period | As-of date (single date) | Period of time (typically 3, 6, or 12 months) |
| Management assertions | 2 assertions (description + design) | 3 assertions (description + design + operating effectiveness) |
| Evidence collection | Current-state evidence (screenshots, configs) | Time-stamped evidence across the full period |
| Auditor sampling | Inspect controls as designed at the as-of date | Sample control operation across the examination period |
| Timeline | 6–8 weeks from engagement to report | 3–12 months examination period + 6–8 weeks fieldwork |
| Market value | Lower (some customers won’t accept Type I) | Higher (enterprise standard) |
| Typical cost | $15,000–$30,000 | $25,000–$60,000+ |
What Changes in the Management Assertion
The most concrete difference between Type I and Type II is in the management assertion letter. For Type I, management makes two assertions:
- The description of the system is fairly presented as of [date]
- The controls stated in the description were suitably designed as of [date] to achieve the applicable trust service criteria
For Type II, management makes all three assertions, adding:
- The controls stated in the description operated effectively throughout the period from [start] to [end]
This third assertion is significant. You are making a formal, signed assertion that your controls operated effectively for every day of the examination period. Not just that they were in place. That they worked. That they were followed. That exceptions were identified and addressed.
This means:
- Access reviews conducted during the period, not just at the end
- Vulnerability scanning running throughout, not just switched on before the audit
- MFA enforced from day one of the period, not added in month three
- Change management process followed for all changes, with evidence retained
Evidence Requirements: Type I vs Type II
This is where the real operational difference shows up:
| Control Area | Type I Evidence | Type II Evidence |
|---|---|---|
| Access control (CC6.1) | Screenshot of access control list, MFA config, IAM roles as of the date | Access review completion records for each quarterly review during the period; access provisioning/deprovisioning records for employees hired/terminated during the period |
| MFA (CC6.1) | Screenshot showing MFA enabled in IdP; configuration export | Evidence MFA was enforced throughout — IdP logs showing no MFA bypass; MDM compliance reports |
| Vulnerability scanning (CC7.1) | Most recent scan report | Scan reports across the examination period (weekly/monthly); evidence findings were remediated within policy timelines |
| Pen testing (CC4.1/CC7.2) | Most recent pen test report + remediation evidence | Same, but must fall within the examination period (or immediately prior) |
| Change management (CC8.1) | Screenshot of branch protection settings; example PR with review | Population of PRs during the period; auditor will sample 5–10 and verify they followed the process; CI/CD logs for deployments |
| Security training (CC1.4) | Training platform configuration showing training programme exists | Completion records for all employees for the training cycle during the period; new hire onboarding training records; phishing simulation results |
| Incident response (CC7.3) | IRP document; recent tabletop exercise | Incident register for the period (even if no incidents, the register showing zero incidents and the review process); evidence any incidents were handled per policy |
| Vendor management (CC9.1) | Vendor register; 1–2 example DPAs; vendor risk assessment template | Vendor reviews completed during the period; new vendor due diligence records for vendors added during the period; existing vendor annual reviews |
Which to Pursue First: Type I or Type II?
The right answer depends on your situation:
Go for Type I first if:
- You’re in an active sales cycle where prospects are asking for SOC 2 now and can’t wait 12 months
- You’ve just finished implementing controls and want early validation that they’re designed correctly before committing to a Type II period
- Your auditor recommends it based on your current evidence maturity
- Your target market (typically mid-market) will accept Type I, at least initially
Go straight to Type II if:
- Your target customers are enterprise and explicitly require Type II (common in US federal, financial services, healthcare, and large tech procurement)
- Your controls have been in place for 6+ months and you have evidence for the full period
- You want to minimise total cost (one Type II is usually cheaper than Type I + Type II)
- You have 12+ months before you need the report and can do a proper 6-12 month examination period
Type I is not a shortcut: A common mistake is treating Type I as a warm-up that then automatically converts to Type II. It doesn’t. Type II requires a new engagement, a new examination period, and a new management assertion. The Type I report gives you design validation — it doesn’t reduce the Type II effort significantly. If you only need one report, go straight to Type II with a 3-month examination period.
Minimum Audit Period Length for Type II
AICPA doesn’t mandate a minimum examination period for Type II, but in practice:
- 3 months: Minimum that most auditors will accept for a first Type II. Evidence is sparse but sufficient for basic controls. Some enterprise procurement teams will push back on a 3-month report.
- 6 months: Common first Type II period. Good balance of evidence coverage vs time-to-report. Most procurement teams accept this.
- 12 months: Gold standard. Required for some enterprise customers and federal procurement. After the first year, you’ll maintain 12-month annual reports.
Planning Your Examination Period
The examination period start date is the date all controls must be in place by. This is a hard deadline. If you start MFA rollout on April 15 but declare April 1 as your examination period start, you have a gap in the first two weeks that will become an exception in the report.
Common planning mistake: choosing an examination period that starts before controls were implemented, then hoping the auditor doesn’t sample that early in the period. Auditors sample randomly across the period. The longer the period and the later the control implementation, the higher the probability of sampling a gap period.
The right approach: define your examination period start date as the date by which all controls will be fully implemented. Work backwards from your target report date. Allow 4–8 weeks for fieldwork after the period ends. Add time for report review and issuance.
The Management Assertion Timeline
- Type I: Draft assertion before fieldwork begins. Sign at or after the as-of date. Issue within 60 days of the as-of date typically.
- Type II: Draft assertion at the start of audit preparation. Review at the period end. Final sign-off after fieldwork, before report issuance. The assertion date must be after the examination period end date.
Bridge Letters Between Annual Reports
After your first Type II report, you’ll maintain annual reports. Between the end of one report period and the start of the next audit, customers may request assurance coverage. This is where bridge letters come in — management assertions covering the gap period, asserting no significant changes since the last report.
Most enterprise procurement teams accept bridge letters for gaps up to 6 months. Beyond that, they’ll wait for your new Type II. Keep your audit cycle tight to minimise bridge letter exposure.
Generate Your SOC 2 Management Assertion Letter
Use the SOC 2 Management Assertion Letter Generator to create a complete, properly-structured assertion for Type I, Type II, or Bridge Letter. Includes all three assertions, system component inventory, trust service categories, subservice organisation treatment, and signature blocks.
Related generators: SOC 2 Gap Assessment, SOC 2 Evidence Pack, Change Management Policy, Information Security Policy.
Related reading: SOC 2 Management Assertion Letter Guide, SOC 2 Evidence Collection Guide, SOC 2 Gap Analysis Guide.
⚠️ This guide is for informational purposes only and does not constitute legal or compliance advice. SOC 2 audit scoping and management assertions must be agreed with your CPA firm. Always work with a licensed CPA firm for your actual audit engagement.