SOC 1 Report (SSAE18)

Controls Related to a User’s Financial Reporting

A SOC 1 report is a report on internal controls that an organization has that impacts their client’s financial reporting. It focuses on the services that they provide and the controls around those services. Industries that typically you would see a SOC 1 within are payroll processors or employee benefit plan record keepers. They provide a service that impacts their customer’s financial reporting. The SOC 1 report is typically provided to not only your customers, but their auditors. The report outlines controls that the auditors will leverage to reduce the risk. Many times the request comes directly from your customer’s auditors.

So, SOC 1 has two types of reports. The first report is most frequently a SOC 1 Type 1, which is as of a point in time. The test is a test of one, and it’s basically the auditor opining that the controls are designed and implemented appropriately following a Type 1, which is as of a point in time, a Type 2 would follow. The Type 2 is over a period of time, and the auditors opining that the controls that were defined are operating effectively during that period of time. The Type 2 would typically follow directly after that Type 1 date. The Type two is a reoccurring audit, typically on an annual cadence.

A Comprehensive Guide to SOC Reports

Everything your service organization needs to know to maximize internal control value that builds credibility, confidence, and a competitive edge.


Featured Insights


Make Your Future Vision a Reality with SC&H