What SOC 1 is and why buyers ask for it
SOC 1 — System and Organization Controls 1 — is an audit report, defined by the American Institute of Certified Public Accountants (AICPA), that focuses on the controls at a service organisation that are relevant to its clients’ financial reporting. If your business performs a function that feeds into another company’s financial statements — payroll, data hosting, transaction processing, claims administration — then that company’s auditors need assurance over how you manage those controls.
A SOC 1 report gives them exactly that. Rather than each customer auditing you separately, a single independent report can be shared with all of them and with their auditors. In practice, SOC 1 reports get requested during vendor due diligence and at financial year-end, and not having one can stall or block a contract with a regulated or audited client. SOC 1 sits within the broader Cyber Security assurance work ABS delivers, alongside the security-focused SOC 2 certification.
What the audit covers
A SOC 1 engagement is built around the control objectives relevant to financial reporting in your specific service. It comes in two report types:
- Type I — an opinion on whether the controls are suitably designed at a specific date.
- Type II — design plus a test of operating effectiveness over a period, typically 6 to 12 months.
ABS supports the full path: a readiness assessment to map your current controls against the objectives, evaluation of control design, remediation assistance to close gaps, audit preparation and support, and issuance of the report. The engagement is conducted under SSAE 18, the AICPA attestation standard that governs SOC 1; where a client needs the international form, the equivalent ISAE 3402 report covers the same ground for audiences outside the US.
Typical timeline
For most organisations under 200 people, a SOC 1 Type I report takes around 10–14 weeks from kick-off, depending on how mature your control environment already is. A Type II report then adds the observation period (commonly 6–12 months) during which the controls are tested in operation. Every engagement begins with a fixed-price scoping call, and we send a proposal within 24 hours so you know the scope, timeline and cost before committing.
Common questions
What’s the difference between SOC 1 and SOC 2?
SOC 1 reports on controls relevant to your clients’ financial reporting; SOC 2 reports on controls against the AICPA Trust Services Criteria — security, availability, processing integrity, confidentiality and privacy. A buyer’s finance and audit teams ask for SOC 1; their security and procurement teams ask for SOC 2. Many service organisations end up needing both.
What is the difference between a Type I and a Type II report?
A Type I report assesses whether your controls are suitably designed at a single point in time. A Type II report goes further and tests whether those controls operated effectively over a period — commonly 6 to 12 months. Most clients of a service organisation ultimately want a Type II report.
How does SOC 1 relate to ISAE 3402 and SSAE 18?
SSAE 18 is the AICPA attestation standard that governs SOC 1 engagements in the United States. ISAE 3402 is the international equivalent, issued by the IAASB, and is often requested when reporting to organisations outside the US. The three describe the same kind of service-organisation controls report under different standards.
Who needs a SOC 1 report?
Service organisations whose services could affect their customers’ financial statements — payroll processors, data hosting and SaaS providers, claims administrators, loan servicers and similar — are most often asked for one. It is especially common for vendors to financial services clients, whose own auditors need assurance over those outsourced controls.
