SOC 1 Report (SSAE18)

Controls Related to a User’s Financial Reporting

What is a SOC 1 Report?

A SOC 1 report is a report on internal controls that an organization has that impacts their client’s financial reporting. It focuses on the services that they provide and the controls around those services. Industries that typically you would see a SOC 1 within are payroll processors or employee benefit plan record keepers. They provide a service that impacts their customer’s financial reporting. The SOC 1 report is typically provided to not only your customers, but their auditors. The report outlines controls that the auditors will leverage to reduce the risk. Many times the request comes directly from your customer’s auditors.

What is the Difference Between a SOC 1 Type 1 vs. Type 2?

So, SOC 1 has two types of reports. The first report is most frequently a SOC 1 Type 1, which is as of a point in time. The test is a test of one, and it’s basically the auditor opining that the controls are designed and implemented appropriately following a Type 1, which is as of a point in time, a Type 2 would follow. The Type 2 is over a period of time, and the auditors opining that the controls that were defined are operating effectively during that period of time. The Type 2 would typically follow directly after that Type 1 date. The Type two is a reoccurring audit, typically on an annual cadence.

Additional SOC Resource

Download our eBook, “A Comprehensive Guide to SOC Reports” to learn additional pertinent and valuable information around SOC examinations, report types, finding the right auditor, and much more. If you’d like to discuss how our team can help with your SOC audit needs, please contact us.