What is a type II service organization control report?
In a type II service organization control (SOC) report, the service auditor will report on the design, implementation and operating effectiveness of the service organizations internal control framework. This is different from a type I report, which only covers the design and implementation, and not the operating effectiveness. A user auditor can only use a type II SOC report to reduce the internal control testing performed on the user organization.
The visual below illustrates the parties involved in a Type 2 report:
Back To All Questions