Every so often when scrolling through the interweb I’ll come across a headline stating “95% Get This Simple Math Problem Wrong”. Although some are truly difficult, and I’m not really a fan of the headline, many times completing the equation is just a matter of using standard order of operations. I learned it as PEMDAS growing up (Parentheses, Exponents, Multiplication/Division, Addition/Subtraction).
Although not as stringent, for companies looking to get started with System and Organization Controls (SOC) examinations, there is a recommended order of operations for completing the SOC examinations.
Readiness Assessment:
A readiness assessment is an informal assessment of the organizations policies, procedures, and operations. It’s an ideal starting point for start-ups and companies that haven’t previously completed a formal internal controls examination.
This is an ideal time for the service organization and service auditor to review client contracts to determine what requirements are documented, quantifiable, and can be assessed through an examination.
In essence, it’s a practice run to identify gaps in compliance before undergoing a formal examination to avoid unexpected delays, failed controls, and modified opinions.
Type 1 Examination:
A Type 1 examination assesses the design of controls as of a single point in time. For example, a Type 1 report will typically indicate “As of September 30, 2025.” The report can be used by service organizations to demonstrate to their clients that they’ve implemented formal processes and controls.
It’s common for the Type 1 examination to be completed in short order following the readiness assessment if no major gaps or controls weakness are noted, which can lead to efficiencies and lower the overall cost of the examination.
However, if major gaps or control weakness are noted during the readiness assessment, the Type 1 examination will likely require starting from scratch, after the gaps or control weakness are remediated. Some or most of the evidence previously obtained during the readiness assessment would no longer be valid months after the fact.
Type 2 Examination:
A Type 2 examination assesses the design of controls AND operating effectiveness during a period of time, usually 9 or 12 months. For example, a Type 2 report will indicate “For the Period October 1, 2024 through September 30, 2025.” This examination involves obtaining populations from the assessment period and selecting a sample of transactions from the population for inspection (testing).
There are unique and rare cases in which the period of time for a Type 2 examination is 6 months. Also, in rare cases, some organizations will complete Type 2 examinations for a 12-month period on a rolling 3-month basis for more continuous monitoring.
There’s no requirement to go in the above order of operations. However, this approach leads to the best results for the service organization and their clients.
Zalovo GRC 