Vol. II · Apr 2026 / Nexurion Field Notes: SOC 2 · Type 2 · Sprint readiness Author of record · Jack Giordano
Nexurion Field NotesVol. II · 12 April 2026
SOC 2 · Type 2 · Sprint readiness · 6 pages · ~10 min

Skip Type 1. Go straight to a six-month Type 2.

A senior practitioner's case for replacing the SOC 2 Type 1 attestation with a 14-week readiness sprint: and the ~$30,000 we now save clients by routing them straight into a six-month Type 2. Type 1 is, in 2026, almost always the wrong instrument.

Volume
II of V
Domain
SOC 2 / AICPA TSC
Audience
Founders, CFOs, deal teams
Author
Jack Giordano
Reading time
~10 minutes
§ 01 · The instrument

Type 1 is a photograph. Type 2 is a film.

The AICPA's Trust Services Criteria attestation comes in two shapes. A Type 1 reports on the design of controls at a single point in time: the auditor reads your policies, walks the system, and writes an opinion that says, on this date, these controls were suitably designed.

A Type 2 reports on the same controls' operating effectiveness across a window: typically three to twelve months: by sampling evidence: tickets, access reviews, deploys, monitoring records. The auditor opines on whether the controls actually ran.

For two decades the conventional sequence was: build the program, get a Type 1 to prove design, then run for six months to earn a Type 2. Buyers accepted the Type 1 as interim proof while you cooked the longer report. That sequence was always a compromise. In 2026 it is no longer one buyers accept.

Working definition

Type 1: design assessment, single date, ~6–8 weeks of fieldwork.

Type 2: operating-effectiveness assessment, 3–12 month window, sampled evidence.

§ 02 · The shift

Why we stopped recommending it.

Three things changed between 2022 and 2025, and they changed together:

  1. Buyers stopped reading Type 1s. Procurement teams at the mid-market and up: the buyers a SOC 2 actually unlocks: now check report type before report contents. Several of the security questionnaires we see in 2026 have a literal "Type 2 only" field. A Type 1 in that workflow is treated as unstarted.
  2. The cost gap closed. The market price for a Type 1 in 2022 was $8–12k. In 2026 it is $14–20k from a reputable firm: within $10k of a six-month Type 2 from the same firm. Most of the audit fee is fixed planning, not fieldwork hours.
  3. Auditors started double-pricing it. Because the work doesn't compose: a Type 1 fielded in March is not credit toward a Type 2 fielded in October: clients pay the planning fee twice. Several Big Four-adjacent firms now quote Type 1 + Type 2 sequentially at ~165% of the standalone Type 2 price.
The Type 1 used to be a down payment on the Type 2. Today it is a separate purchase that buyers don't recognize, auditors don't credit, and the calendar doesn't reward. - Field Note Vol. II, §02
§ 03 · The math

The ~$30,000 we now save clients by skipping it.

Here is a real engagement we ran in Q1 2026, with the client's permission and the numbers anonymized to round thousands. The client is a 38-person Series-B SaaS company sold into healthcare and fintech.

Path Audit fees Internal effort Time to Type 2 Total cost
Type 1 → Type 2 (conventional) $18k + $32k = $50k ~280 hrs (split across two engagements) ~11 months from kickoff ~$98k
14-week sprint → 6-month Type 2 (ours) One audit · $36k ~190 hrs (concentrated) ~9 months from kickoff ~$67k

The savings come from three places, in roughly equal share: (1) a single audit fee instead of two, (2) lower internal hours because evidence is collected once for one window rather than twice for two, and (3) a sprint cadence that doesn't drift: the meter runs only during sprint weeks, not for the eleven months of "we'll get back to that policy."

Caveat

The savings shown above are this engagement, this client, this auditor. Audit fees vary by complexity, scope, and firm. The pattern holds across the seven engagements we ran on this model in 2025: the absolute numbers will not be your numbers.

§ 04 · The sequence

The 14-week sprint, week by week.

What replaces the Type 1 is not nothing: it is a structured readiness engagement that produces the same evidentiary spine a Type 1 would have, without the audit opinion. The sprint runs in four phases.

  1. Weeks 1–3: Scoping & gap read

    Boundary diagram, inventory pull, control-mapping pass against the AICPA's relevant Trust Services Criteria. We name every system, identity, and data flow that would be in scope. We do not write any policy this phase.

  2. Weeks 4–8: Control build

    The five or six controls that aren't yet running get built: most often access reviews, change management, vendor monitoring, and a real incident-response runbook. Operators run them in parallel; we don't paper over.

  3. Weeks 9–12: Evidence loop

    The first month of evidence accrues. We rehearse the auditor's sample: pulling the same tickets, screenshots, and approvals an auditor would request. If a control can't produce evidence in week 12, it can't produce evidence in month 6 either; we fix it now.

  4. Weeks 13–14: Auditor selection & window kickoff

    We pre-brief two CPA firms, share the readiness packet, and the client picks. The Type 2 observation window opens at week 14. From here, the meter is the auditor's, not ours.

By month 9 from kickoff: six months of observation plus three of fieldwork and reporting: the client is holding a clean Type 2 report. No interim Type 1, no interim cost, and a buyer-grade artifact on the first attempt.

§ 05 · The exceptions

The four cases we still run Type 1.

Skip Type 1 is the default. It is not a rule. There are four cases: and only four: where we still recommend the conventional sequence:

Case 01 · Active deal
An identified deal worth more than $200k ARR is contractually gated on a SOC 2: any SOC 2: by a date earlier than month 6. A Type 1 in 8 weeks closes the deal. Ship it.
Case 02 · Carve-out subservice
You are a subservice organization being carved out of a larger Type 2; the parent's auditor will accept a Type 1 as the bridge artifact. Common in healthcare-tech rollups.
Case 03 · M&A diligence
Your acquirer's diligence team has explicitly named a Type 1 as a closing deliverable. (We push back; we sometimes lose.)
Case 04 · Pre-IPO governance
An audit committee that wants attestation evidence on the design of controls before the operating window opens. Rare; we have seen it twice.

If you are not in one of these four cases, the Type 1 is paying for an artifact your buyer will not read.

§ 06 · Retractions

Three positions we are willing to retract.

If the next 12 months show otherwise, we will say so in print, in the next volume's masthead. The three positions in this memo we will retract on the following evidence:

  • If a tier-one CPA firm publishes a credit-back schedule that meaningfully discounts a follow-on Type 2 after a Type 1: say, 30% or more: the math in §03 inverts and we will recommend Type 1 again for cost-sensitive clients.
  • If a major procurement-questionnaire vendor (OneTrust, Vanta, Drata) reintroduces a recognized Type 1 field with its own conformance signal, the buyer-recognition argument in §02 weakens.
  • If the AICPA reissues TSP 100 with a "Type 1.5" or interim-attestation product that auditors will credit toward Type 2 fieldwork, the entire memo is moot.

None of these are likely in 2026. All are possible. We are watching.

JG
By Jack Giordano, founder: Marine · Firefighter · Security & Compliance.
Vol. II · Published 12 Apr 2026 · No marketing review · Named author

Considering SOC 2: and unsure which path to start on?

A 45-minute scoping call. We tell you which of the four exception cases you fall into, or we tell you to skip Type 1. No deck, no nurture sequence, no follow-up unless you reply.

Tell us the trigger All five volumes