SOC 1 Reporting

A SOC 1 report is an independent examination of controls at a service organization that are relevant to user entities' internal control over financial reporting (ICFR). Conducted under AICPA SSAE No. 18 (AT-C Section 320), a SOC 1 report provides assurance to your clients and their auditors that your controls are suitably designed and, in the case of a Type II report, operating effectively over a specified period. Unlike SOC 2, which evaluates controls against fixed Trust Services Criteria, SOC 1 reports are scoped to custom control objectives tied to how your services affect your clients' financial statements.

SOC 1 reports are designed for service organizations whose operations directly impact their clients' financial reporting. This includes payroll processors, loan servicers, benefits administrators, claims processors, financial transaction processors, and third-party administrators (TPAs). If your clients' external auditors need to evaluate controls at your organization as part of their financial statement audit, a SOC 1 report gives them the independent assurance they require.

A SOC 1 Type I report evaluates whether your controls are suitably designed as of a specific date. It is a point-in-time assessment that does not test whether controls operated effectively over a period. A SOC 1 Type II report tests both the design and operating effectiveness of controls over an audit period, typically 6 to 12 months. Most clients and their external auditors ultimately require a Type II report because it demonstrates that controls work consistently over time. Type I reports are useful as a first step, especially when a customer needs evidence quickly or your controls are newly implemented.

For a SOC 1 Type I engagement, expect approximately 4 to 6 weeks from scoping to final report delivery. For a SOC 1 Type II, the audit period itself is typically 6 to 12 months (the period over which your controls are tested), with fieldwork and report delivery adding approximately 6 to 8 weeks after the period ends. If a readiness assessment is included, add 4 to 8 weeks upfront for gap analysis and remediation guidance. We target a draft report within two weeks of completing fieldwork.

SOC 1 audit fees vary based on scope and complexity. Type I engagements typically start around $16,000. Type II engagements start higher and can go well above that depending on the number of control objectives, locations, environment complexity, and whether subservice organizations are in scope. We provide a fixed-fee proposal before the engagement begins so there are no surprises. Use our pricing calculator for an estimate, or contact us for a custom quote.

SOC 1 examinations are performed under the AICPA Statement on Standards for Attestation Engagements (SSAE) No. 18, AT-C Section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting. The engagement is also governed by the AICPA guide, Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting, which provides the framework for how these examinations are structured, scoped, and reported.

A SOC 1 report is issued by an independent, licensed CPA firm and includes management's description of the service organization's system, the defined control objectives, and the auditor's opinion on whether those controls meet the stated objectives. For Type II reports, it also includes the results of testing controls for operating effectiveness across the full audit period.

SOC 1 and SOC 2 serve different purposes. A SOC 1 report focuses on controls relevant to user entities' Internal Controls over Financial Reporting (ICFR). The control objectives are custom, defined based on how your service affects your clients' financial statements. A SOC 2 report evaluates controls against the AICPA's fixed Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy). The right report depends on what your clients and their auditors are asking for: if they need assurance about financial reporting controls, it is SOC 1; if they need assurance about data security and operational controls, it is SOC 2. Some organizations need both.

CUECs are controls that your clients (user entities) are expected to implement for your controls to function as intended. For example, your system may process payroll calculations accurately, but it is your client's responsibility to ensure the payroll inputs they submit are correct. SOC 1 reports document CUECs clearly so that user auditors understand what their client is responsible for versus what your organization controls. Well-defined CUECs reduce ambiguity during your clients' financial statement audits.

When your organization relies on subservice organizations (vendors like cloud hosts, payment processors, or data centers), the SOC 1 report must address their role. The carve-out method excludes the subservice organization's controls from your report. Your report describes the services they provide, but user auditors will need separate assurance from that vendor. The inclusive method brings the subservice organization's controls into your report scope, which requires their active participation in the audit. The right choice depends on what your user entities expect and the nature of the subservice relationship. We help you decide during scoping.

A bridge letter covers the gap between the end of your SOC 1 report period and a user entity's fiscal year-end. It is a management assertion (issued by your organization, not the audit firm) confirming that no significant changes to controls occurred during that gap. Bridge letters are common when your report period does not perfectly align with every client's year-end. As your auditors, we can provide progress letters or engagement letters that you may share with clients to demonstrate that your next audit is underway.

Start by identifying the services in scope and the control objectives that are relevant to your clients' financial reporting. Document your control activities and gather evidence that those controls are operating as designed. Determine whether subservice organizations are part of your environment and how you will address them (carve-out or inclusive). Consider a readiness assessment to identify gaps before the formal audit begins. We recommend engaging your audit firm early so you can scope the engagement together and avoid surprises during fieldwork. See our full audit process →

Yes. We coordinate directly with user auditors on scope, timing, control objectives, and CUEC questions. You do not need to act as an intermediary between your clients' auditors and us. This is especially important for SOC 1 engagements, where user auditors often have specific questions about control objectives and how they relate to their client's financial reporting environment.

Yes. If you are already managing controls and evidence in a GRC platform like Drata, Vanta, Scytale, or similar tools, our audit process adapts to your workflow. We pull from your existing repository rather than asking you to duplicate work. If you are not using a platform, we provide our own structured approach to evidence collection and control mapping.