Every SOC 2 examination produces one of two reports, and the choice between them is the first real decision in the process. The mechanics are simple. The consequences are not, because the two reports make fundamentally different claims about your control environment, and enterprise procurement teams know exactly which claim they want to see.
The Core Distinction
A SOC 2 Type 1 report examines whether your controls are suitably designed as of a specific date. The auditor looks at your control environment on, say, June 30, and forms an opinion on whether the controls are designed to meet the relevant Trust Services Criteria at that moment. It is a snapshot.
A SOC 2 Type 2 report examines two things: whether the controls are suitably designed, and whether they operated effectively across a defined observation period, typically three to twelve months. The auditor does not just confirm the control exists; they sample evidence from across the period to test that it actually functioned, week after week. It is a film, not a photograph.
SOC 2 Type 1
Tests design effectiveness at a single point in time. Faster to obtain, typically three to six months end to end. Proves the controls exist and are designed correctly. Useful as an interim step or a first credential. Lower cost, usually $10,000 to $20,000 for the examination.
SOC 2 Type 2
Tests design and operating effectiveness across a three to twelve month period. Longer to obtain because of the observation window. Proves the controls actually worked over time. The report most enterprise buyers require. Higher cost, driven by the volume of evidence tested.
The Observation Period Is the Whole Point
The observation period is what separates a Type 2 from a Type 1, and it is where first-time companies most often underestimate the effort. During this window your controls must operate continuously, and you must collect evidence that proves it. An auditor performing a Type 2 does not simply ask whether you run access reviews. They select a sample of access reviews from across the period and inspect the records: who reviewed, when, what was found, what was remediated.
Three months is the minimum most CPA firms will accept and the fastest route to a first Type 2 report. Many companies choose a six-month initial window to demonstrate a more convincing track record, then move to a rolling twelve-month period at renewal so there is never a gap between reports. The length you choose is a trade-off between speed to a credential and the strength of the evidence trail behind it.
Timeline and Cost, Side by Side
| Factor | Type 1 | Type 2 |
|---|---|---|
| What it tests | Design at a point in time | Design plus operating effectiveness over a period |
| Observation period | None | 3 to 12 months |
| Typical end-to-end timeline | 3 to 6 months | 6 to 15 months |
| Examination fee (specialist firm) | $10,000 to $20,000 | $15,000 to $70,000 |
| What buyers infer | You have started, seriously | You have operated the controls, provably |
How to Decide
The right choice depends on your runway and your sales pressure, not on preference.
Go straight to Type 2 if you have nine to twelve months before SOC 2 becomes a hard requirement in your deals. Skipping Type 1 saves you the cost of a report most enterprise buyers treat as incomplete, and it gets you to the credential that actually closes deals. This is the right path for most companies with any runway at all.
Start with Type 1 if a deal is stalled today and the customer needs to see documented, audited proof that your control environment exists while you build toward Type 2. A Type 1 can be completed in a few months and provides immediate, legitimate evidence of commitment. Treat it as a bridge, not a destination.
Do not represent a Type 1 as a Type 2If a customer asks which report you hold and you have a Type 1, say so plainly. Procurement teams and CISOs read SOC 2 reports and know the difference between design and operating effectiveness. Misrepresenting the type creates a trust problem that is worse than simply not having Type 2 yet.
Where the Bridge Letter Fits
A bridge letter, sometimes called a gap letter, is a short self-attestation from your management that covers the interval between the end of your SOC 2 report period and the date a customer is asking. It states that no material changes to the control environment have occurred since the report period ended. It is useful and common, but it has hard limits. The industry norm is that a bridge letter should cover no more than three months, and because it is management's own statement rather than an auditor's opinion, it carries none of the assurance of the report itself. A bridge letter keeps a deal moving in a narrow window. It does not restore the credibility of a report that has aged out, and a serious vendor risk reviewer will treat a stale report with a bridge letter as exactly that.
The Deeper Point
Type 1 versus Type 2 is really a question about what kind of assurance you can offer. A Type 1 proves design. A Type 2 proves operation. But even a twelve-month Type 2 is historical the moment its period closes, which is why the strongest position is not just holding the right report but running a continuous evidence program that lets you speak to your control environment today. The report is the artifact. The operating discipline behind it is the actual assurance, and it is what turns a renewal from an annual scramble into a formality.
If you are still deciding what is in scope and whether your controls would survive testing over a period, a readiness assessment will tell you before the clock on an observation period starts. And if you want to understand why the word "certified" is the wrong one to use for either report, we cover that in is SOC 2 a report or a certificate.