Back to Journal Audit & Assurance

SOC 1 Type II - Sustaining Financial Reporting Controls Over the Full Audit Period

A deep-dive into SOC 1 Type II — how the observation period works, what auditors test, how to maintain effective ICFR controls year-round, and how to produce a clean report that satisfies your clients' financial auditors.

Savadub GRC Team ·
SOC 1 Type II - Sustaining Financial Reporting Controls Over the Full Audit Period

SOC 1 Type II: Sustaining Financial Reporting Controls Over the Full Audit Period

A SOC 1 Type I report tells your clients' auditors that your financial reporting controls are designed correctly. A SOC 1 Type II report tells them something far more valuable: that those controls worked consistently, throughout a defined period, under real operational conditions. For clients whose auditors must place reliance on your controls to complete their financial statement audits, Type II is not optional — it is essential.

What Type II Adds to Type I

SOC 1 Type II extends the Type I assessment by adding an observation period — the period during which the auditor tests that controls operated effectively, not just that they were designed correctly. The observation period is typically:

  • Minimum six months for the first Type II report
  • Twelve months for subsequent annual reports and for clients with more demanding requirements

The auditor's work in a Type II engagement includes everything in a Type I examination plus:

  • Sampling evidence of control operation from throughout the observation period
  • Testing whether controls were consistently applied, not just present
  • Identifying exceptions where controls failed to operate as designed
  • Evaluating materiality of any exceptions found

Why Financial Auditors Specifically Require Type II

Your clients' financial auditors operate under auditing standards (PCAOB AS 2201 for public companies, AU-C 402 for private companies) that govern how they can rely on controls at service organisations. Under these standards:

  • They must obtain a Type II report if they plan to reduce their own testing of your controls
  • They cannot place reliance on a Type I report to reduce substantive testing
  • A Type II report with a clean opinion allows them to rely on your controls and reduce their own fieldwork
  • A Type II report with qualified opinions or significant exceptions may cause them to perform additional testing or require their clients to seek a different service provider

This is why clients in payroll processing, loan servicing, claims administration, and financial technology consistently require Type II reports with short report-to-audit timelines — their financial auditors need current, period-based assurance.

Building Controls That Sustain Type II Testing

The key discipline for SOC 1 Type II is consistency. Auditors will sample from throughout the observation period and test whether each sampled control instance operated as designed. Controls that work nine months out of twelve will produce exceptions in the report.

Transaction Processing Controls

For each class of transactions, ensure:

  • Automated validation controls run on every transaction, every time
  • Exception reports are generated, reviewed, and actioned on the defined cadence
  • Processing completeness checks reconcile inputs to outputs for every processing cycle
  • Balancing and settlement procedures are documented and evidenced for every cycle

Access Controls

Throughout the observation period:

  • User provisioning follows the defined authorisation process for every new user
  • Access reviews are completed on the defined schedule (typically monthly or quarterly) with documented results
  • Terminated user access is revoked within the defined timeframe — evidence of timely deprovisioning for every termination
  • Privileged access is reviewed and documented on the defined cycle

Change Management

For every change to in-scope systems:

  • Change requests are formally submitted with business justification
  • Changes are approved by authorised individuals before implementation
  • Pre-implementation testing is performed and documented
  • Post-implementation reviews confirm expected outcomes

Reporting Controls

For each client report type:

  • Reports are generated on the defined schedule
  • Completeness and accuracy checks are applied and evidenced
  • Report delivery is confirmed and documented

Evidence Management for Type II

Managing evidence across a twelve-month observation period requires systematic discipline:

Centralise evidence storage: All control evidence should flow to a single, organised repository — organised by control objective, period, and responsible owner. Reconstructing twelve months of evidence at audit time from email threads and shared drives is extremely difficult and often incomplete.

Automate where possible: Automated controls generate their own evidence automatically — transaction logs, access provisioning records, system-generated reports. Manual controls require manual evidence capture. Wherever a manual control can be automated, evidence quality and completeness improves.

Establish evidence retention policies: Ensure that log data, report archives, access review records, and change management tickets are retained for at least the duration of the observation period plus the audit window.

Review evidence quality quarterly: A quarterly internal review of evidence completeness and quality — before the external auditor arrives — catches gaps while there is still time to address them.

Handling Exceptions in Type II Reports

Even with strong controls, exceptions sometimes occur. How you handle them affects the commercial impact of the report.

Minor, isolated exceptions with management responses explaining root cause and remediation are common and generally acceptable to sophisticated users of SOC 1 reports. A single exception in an access review process out of twelve monthly reviews is not the same as a systemic control failure.

Pervasive or repeated exceptions to the same control indicate a control design or operation failure that must be addressed. Clients' auditors will likely increase their testing and may escalate concerns to their clients.

Management responses to exceptions should be specific, factual, and describe concrete remediation steps with timelines. Generic responses ("management will improve this control") without specific actions are unsatisfying to users.

The Annual SOC 1 Type II Cycle

Once you have achieved your first Type II report, you enter an annual compliance cycle:

Months 1–3 of the new period: Ensure all controls identified as having exceptions in the prior report have been remediated. Adjust control procedures for any system or process changes.

Months 1–10: Run controls consistently. Collect evidence on the defined cadence. Conduct quarterly internal reviews of evidence completeness.

Month 9–10: Begin evidence compilation for the audit. Confirm the observation period end date with the CPA firm. Prepare the updated System Description reflecting any material changes to the system.

Month 11: Auditor examination. Respond to evidence requests promptly. Participate in interviews and walkthroughs.

Month 12+: Draft report review. Prepare management responses to any exceptions. Receive and distribute the final Type II report to clients.

Complementary User Entity Controls (CUECs)

Every SOC 1 Type II report includes a list of Complementary User Entity Controls — controls that must be in place at your clients' organisations for the combined control environment to be effective. Common CUECs include:

  • Clients must promptly notify the service organisation of terminated employees to enable timely deprovisioning
  • Clients must review and reconcile reports produced by the service organisation
  • Clients must maintain appropriate segregation of duties over activities performed using the service
  • Clients must implement appropriate access controls over credentials used to access the service

Your clients' financial auditors test these CUECs as part of their audit. Clearly defined, reasonable CUECs that your clients can actually implement make the overall audit process smoother for everyone.

Why Organisations Choose Savadub

Deep GRC Expertise

Our team holds practitioner-level expertise across every major compliance framework — not just theoretical knowledge, but hands-on implementation experience across multiple industries and organisation sizes.

Engineers, Not Just Consultants

We implement controls, not just recommend them. Our GRC engineers configure the systems, write the integrations, and build the monitoring pipelines that make compliance operational.

Global and African Regulatory Coverage

We understand both the global frameworks and the African regulatory environment — NDPR, NDPA, CBN directives, NITDA guidelines, and regional data protection laws — making us uniquely positioned for organisations operating across Africa and internationally.

Internal and External Audit Capability

We provide both embedded internal audit functions and independent third-party audit support, including CPA-accredited audit coordination for SOC examinations.

End-to-End Engagement

From initial gap assessment through certification, continuous monitoring, and ongoing compliance management — we are your long-term GRC partner, not a one-time consultant.

Industries We Serve

Financial Services · Healthcare · Technology & SaaS · Manufacturing · Logistics & Trade · Government & Public Sector · Energy & Critical Infrastructure · Education & EdTech · Media & Broadcasting · Retail & E-Commerce · Professional Services · Food & Beverage

Deliverables You Receive

Working with Savadub, every engagement delivers a concrete set of outputs:

  • Gap Assessment Report — prioritised findings with effort estimates and risk ratings
  • Compliance Roadmap — milestone-based plan from current state to certification or attestation
  • Risk Register — organisational risk register with treatment plans
  • Policy Pack — all required policies authored, reviewed, and approved
  • Technical Control Implementation Evidence — configurations, screenshots, and audit trails
  • Internal Audit Report — independent assessment of control effectiveness
  • Audit Evidence Repository — organised, auditor-ready evidence collection
  • Executive Summary Presentation — board and leadership-ready compliance status
  • Remediation Tracker — structured tracking of open findings and closure evidence
  • Continuous Monitoring Setup — ongoing CCM pipeline for post-certification compliance

Get Started with Savadub

Savadub's GRC practice combines deep compliance expertise with technical engineering capability. We don't just advise — we build, implement, and operate your compliance program from the ground up.

Book a free GRC consultation with our team. We will review your current posture, identify your most critical gaps, and give you a clear, costed roadmap to compliance.

Contact us:

  • Email: grc@savadub.com
  • Phone: +234 816 734 2201
  • WhatsApp: +234 903 234 8435
  • Website: www.savadub.com

Share this story
Keep Reading

You Might Also Like