SOC 2 Type I vs Type II: which one to run first

A prospect's security team writes back with one line: "we can only accept a SOC 2 Type II." You have two quotes open in another tab. One is a Type I that can ship in eight weeks. The other is a Type II with a six-month observation window that will not produce a report until next year.

Which one actually closes the deal, and which one wastes a quarter of runway? The answer turns on who your buyer is, how much runway you have, and how mature your controls already are.

The short answer

A SOC 2 Type I report opines on whether your controls were suitably designed as of a single point in time. A SOC 2 Type II report opines on whether those same controls were suitably designed and operated effectively over a period of three to twelve months.

Type I is a photograph. Type II is a film. Sophisticated buyers want the film.

What a Type I actually attests to

A Type I answers one question on one date: were the controls described in management's assertion designed to meet the applicable Trust Services Criteria? Both Type 1 and Type 2 examinations sit inside the AICPA's SOC for Service Organizations framework, and the AICPA guide is the authoritative source on the distinction between a design-only opinion and one that also covers operating effectiveness. For the full list of controls your design needs to cover before fieldwork, see SOC 2 compliance requirements.

The auditor walks each control, confirms it exists, confirms the design matches the criterion, and confirms the evidence for that design is in place on the as-of date. There is no transaction sampling. There is no observation window. The opinion speaks to one day, and the report tells your buyer that on that day your control environment was set up correctly.

The engagement turns around in six to ten weeks once the design work is done. That speed is the whole point. A Type I is the report you can honestly hand a buyer when a Type II has nothing to sample yet, because the controls have not been running long enough to test.

What a Type II actually attests to

A Type II keeps the design question and adds the second one that matters more: did the controls actually run, every time they were supposed to, across the entire observation window?

Two mechanical differences from Type I:

• The auditor samples. Sample sizes follow AICPA guidance and scale with control frequency. The underlying attestation rules live in AICPA SSAE No. 18, which recodifies the AT-C sections service auditors work under. A daily control might draw 25 samples from the window. A weekly control draws 8 to 12. A monthly control draws 2 to 5. Quarterly controls get one or two. Each sample is testing whether the control operated on the day it was supposed to, not only on the day the auditor showed up.
• Exceptions land in Section 4. Every sampled failure appears in the controls table with a management response. A clean Type II does not mean zero exceptions. It means an unqualified opinion with honest responses to the real ones. (See what a SOC 2 report actually tells your buyer for how procurement reads that section.)

A Type II is what an enterprise security team means when they say "send us your SOC 2."

Observation-window mechanics

The window is the part most founders underestimate. A few things worth knowing before you pick one.

Three months is the floor, not the norm. AICPA guidance allows for shorter Type II windows, and three months is the shortest that still produces a credible report. In practice, short-window Type IIs show up for first-year reports with a hard customer deadline, for newly in-scope subservice organizations, or as a stopgap ahead of a major renewal. Enterprise buyers notice the window length and adjust their comfort accordingly.

Six months is the practical floor for real buyers. A six-month Type II gives the auditor enough recurrence on weekly and monthly controls to test them meaningfully. Most sophisticated buyers will accept a six-month first Type II on the understanding that the next one will be twelve.

Twelve months is the annual cadence. Once you are in steady state, the observation window aligns with a fiscal year and resets each year. Twelve months also eliminates the need for a short-period report and simplifies the bridge-letter rhythm between annual reports.

The report is not issued on the day the window closes. The AICPA's illustrative Type 2 service auditor's report shows the structure your CPA firm will follow, and expect six to ten weeks between period end and issued report for draft, management review, and quality review. Buyers who need the report by a specific date should back the observation window up accordingly.

When Type I is the right first step

Run a Type I first when all three of these are true:

1. The company or the scope is new. The service has been live for less than six months, or the scope just expanded materially. A Type II sampled over that window would have nothing consistent to test.
2. It is your first audit. A Type I surfaces design gaps cheaply before you commit to a twelve-month observation window where the same gaps would generate exceptions every time they recur. Running a readiness pass and then a Type I is the low-cost way to find out where the controls are weak before the stakes go up.
3. You have a 60-to-90 day buyer deadline. A prospect needs a real audit artifact attached to their vendor file this quarter, and a Type II cannot mathematically arrive in time. A Type I is the honest way to ship something meaningful, so long as the buyer understands a Type II will follow.

If any of those three is false, the Type I is a waste of a fee.

When to skip straight to Type II

Skip Type I when:

• Your buyers will only accept Type II. Large enterprise security teams and any Fortune 500 procurement function fall here. Spending $25k on a Type I that the target buyer will not accept is not a bridge to the deal; it is a line item.
• You have runway for a six-to-twelve-month window. If the deal pressure is real but not this quarter, the calendar math works. Start the observation window now, close sales deals with a signed letter of intent plus the in-progress Type II, and ship the report when the window closes.
• Your controls are already mature. Companies that have been operating real access reviews, change management, and incident response for a year do not need a Type I to tell them their design is sound. Go straight to the report that buyers want.

The sibling decision on the SOC 1 side lives in SOC 1 Type 1 vs Type 2. The logic is identical. The audience, and what "effective" means, is different.

A Type I buys you a deliverable. A Type II buys you the contract.

The two-Type-II rhythm

Once you are on the Type II cadence, the pattern settles. Your first Type II covers six months. Your second covers twelve. After that, each annual Type II covers twelve months aligned with your reporting year.

Between reports, buyers will ask what has happened since the period end. You hand them a SOC 2 bridge letter: a signed management statement that no material changes have occurred to the system description or controls since the report date. Bridge letters cover up to about three months. They are not audited and the auditor does not sign them. If the gap stretches past three months, the answer is a short-period Type II or a repositioned observation window, not a longer letter.

A steady-state program ends up with a twelve-month Type II and two to three bridge letters a year, always dated to the day a buyer asks.

Cost and timing tradeoffs

Honest ranges for a growth-stage SaaS with one product and the Security criterion only:

• Type I from a standing start: four to six months total, with audit fees roughly $18k to $35k. Two to three months of readiness, one to two of fieldwork, one of reporting.
• First Type II from a standing start: nine to fourteen months total, with audit fees roughly $30k to $55k. Three to four months of readiness, six to twelve months of observation window running in parallel with evidence collection, one to two months of fieldwork, six to ten weeks of reporting.
• Annual Type II in steady state: roughly twelve months end to end, $25k to $50k, timed so the report issues shortly after the window closes.

The trap worth naming: a Type I followed by a Type II costs more in total than a single Type II, because you pay two sets of audit fees without two sets of use. That trade is worth it when a buyer deadline demands it or when the first audit will find enough design gaps to justify the cheaper diagnostic. It is not worth it when buyers will not read the Type I anyway.

Readiness is usually the larger line item in year one regardless of which report you run. A compliance platform can help with evidence collection but does not reduce the audit fee and does not replace the CPA firm. The pillar primer on what SOC 2 is covers the platform question in more detail, and the SOC 2 audit process walks through how the engagement itself runs once the report type is picked.

The decision is almost always simpler than it feels. Name the buyer, count the weeks, look at the control maturity, and the right first report is usually obvious within ten minutes.

---

If a deal is hanging on the Type I vs Type II question and the clock is running, get in touch or see the services we offer, we will help you pick the scope and timing that answers the customer without paying twice.