The short version
A SOC 1 report (System and Organization Controls 1) is an independent audit of the internal controls at a service organization that could affect its clients' financial statements.
"Service organization" is the formal term for any company that performs outsourced functions for other businesses. If your service processes payroll, handles financial transactions, manages benefit plans, or hosts financial data, your clients' auditors need to understand how your controls work.
SOC 1 reports are issued under SSAE 18 (Statement on Standards for Attestation Engagements No. 18), the current professional standard published by the AICPA. The report can only be issued by a licensed CPA firm.
Ready to scope your SOC 1 engagement?
A 15-minute call is enough to outline your scope, timeline, and cost range.
Type 1 vs. Type 2: what's the difference?
There are two versions of a SOC 1 report. They're not interchangeable, and clients often specify which one they need.
SOC 1 Type 1
A point-in-time assessment. The auditor tests whether your controls are suitably designed as of a specific date.
- Good for first-time engagements
- Faster to complete
- No observation period required
SOC 1 Type 2
A period-of-time assessment. The auditor tests whether your controls are suitably designed and operating effectively over a defined period, typically 6-12 months.
- Preferred by most enterprise clients
- Covers operational effectiveness
- Required for many regulated industries
Common path: Many organizations start with a Type 1 to establish their control framework, then move to Type 2 in the following year once they've had time to mature their processes.
What a SOC 1 report actually contains
A SOC 1 report is a formal, confidential document shared only with your clients and their auditors. It has five standard components.
Management's assertion
A signed statement from your leadership asserting that the description of your system is accurate and that controls are suitably designed (and, for Type 2, operating effectively).
The auditor's opinion
The independent CPA firm's formal opinion on whether management's assertion is fairly stated.
Description of the system
A narrative of your service, infrastructure, data flows, and the boundaries of what the report covers.
Control objectives and related controls
A list of what your controls are designed to achieve (the objectives) and the specific controls in place to meet each one.
Test results (Type 2 only)
The auditor's testing procedures and results for each control, including any exceptions noted.
SOC 1 vs. SOC 2: how to tell them apart
These two reports are commonly confused. The key distinction is what they're auditing and who reads them.
| SOC 1 | SOC 2 | |
|---|---|---|
| Focus | Internal controls over financial reporting (ICFR) | Security, availability, processing integrity, confidentiality, and privacy |
| Primary audience | Clients' external auditors (CPAs auditing financial statements) | Clients' security, procurement, and risk teams |
| Standard | SSAE 18 | SSAE 18 / Trust Services Criteria |
| Trigger | Clients' auditors require it during their annual financial audit | Customers, investors, or partners ask for proof of security practices |
Some organizations need both. If you handle financial data and sensitive personal data, you may receive requests for each.
What is SSAE 18?
SSAE 18 (Statement on Standards for Attestation Engagements No. 18) is the professional standard published by the AICPA that defines how SOC reports must be conducted and issued.
It replaced the older SAS 70 standard and has been in effect since 2017. If someone refers to a "SAS 70 audit," they mean a SOC 1 under the older standard. The current reports are issued under SSAE 18.
The standard requires that only a licensed CPA firm can issue the opinion, that the firm be independent of the service organization, and that the audit follow specific professional procedures.
Ready to get started?
A 15-minute call is enough to scope your engagement, understand your timeline, and get a cost range. No obligation.
Schedule a Scoping Call