A System and Organization Controls (SOC) 1 report is an independent auditor’s report on internal controls placed in operation at a service organization relevant to financial reporting. SOC reports can be as of a point in time (a “Type I” report) or cover a period of time (a “Type II” report). A Type I report is commonly the first report issued for a service organization, with the second and following reports being Type II reports.

 

The purpose of a SOC 1 is to report on controls at a service organization relevant to user entities’ internal controls over financial reporting for the benefit of all stakeholders, including the service organization (your organization), user entities (your customers) and user auditors (the CPA firms that audit your customers). NOTE: A SOC 1 Type II report usually covers a 6 to 12-month period.

 

SOC 1 engagements must conform to the requirements of certain AICPA attestation standards and interpretations. Such guidance includes:

 

• SSAE 18 (AT-C Section 320)—Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C Section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (AICPA, Professional Standards). AT-C Section 320 also incorporates by reference AT-C Section 105, Concepts Common to All Attestation Engagements, and AT-C Section 205, Examination Engagements.

​

• SOC 1 Audit Guide—AICPA Guide, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1®).

 

The controls addressed by engagements under SSAE 18, and interpreted via the SOC 1 Audit Guide, are those that a service organization implements to prevent, or detect and correct, errors or omissions in the information it provides to user entities. A service organization’s controls are relevant to a user entity’s internal controls over financial reporting when they are part of the user entity’s information and communication systems maintained by the service organization.

 

You may provide your SOC 1 report to your customers, who may provide it to their auditors. The report provides them with assurance as to the design and, in the case of a SOC 1 Type II report, the operating effectiveness of the controls implemented in your environment that impact their financial statement assertions.