Understanding SOC 1 (System and Organization Controls 1)
for User Entities and Service Organizations

What is SOC 1?

System and Organizational Controls 1, or SOC 1, helps user entities determine the effectiveness of their service providers’ internal controls for financial reporting (ICFR).

The American Institute of Certified Public Accountants (AICPA) oversees SOC 1 guidelines, which companies can use to make sure third-parties they work with that handle financial and similar transactions implement industry recognized best practices for financial controls.

Generally, CPAs audit service organizations and provide one of two SOC 1 report types, Type 1 or Type 2. In this SOC 1 resource, learn more about what the regulations are, who should be compliant, how to prepare for a SOC 1 audit report, and get the most out of your time with your CPA auditor.

SOC 1: Helping Companies Verify Service Organizations
Use Effective Internal Controls for Finance Reporting

System and Organization Controls 1 (SOC 1) are a set of standards companies (user entities) can use to determine how effectively their service providers (service organizations) implement and manage controls that may impact financial reporting. AICPA says these controls are “relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.”

Some examples of SOC 1 user entities are:

While user entities can outsource a range of financial tasks to service organizations, the user entity is ultimately responsible for ensuring providers implement effective controls for third-party services.

If you’re a service provider, for example, a software-as-a-service (SaaS) company or a data center, and your services may impact a user entity’s financial statements, then you may need to attest your business meets SOC 1 criteria.

In simple terms, being a SOC 1 compliant service organization demonstrates you’re using industry recognized best practices to assess and manage risk. In some cases, an internal department within a larger organization could be considered a service organization.

Some other examples of SOC 1 services providers are:

In some cases, service organizations outsource services to other third parties. If those third-party services are relevant to the user entity’s ICFR, then they may also require SOC compliance. When this occurs, the service organization is responsible for the overall system of internal controls.

There are two types of SOC 1 reports, SOC 1 Type 1 and SOC 1 Type 2. Which SOC report is right for your organization depends on a number of factors, such as the nature of your business, types of services provided, types of data handled, and your company’s risk appetite. Certified public accountants (CPAs) manage SOC compliance reports.

Depending on report type, SOC reports generally include:

SOC 1 Type 1 and SOC 1 Type 2 Reports

Simplifying SOC Compliance for Service Organizations

With the power of Apptega, you can simplify SOC 1 compliance and easily pass a Type 1 or Type 2 audit:

• Select the best framework (or multiple frameworks) from a constantly-growing framework library
• Select and implement controls and sub-controls to meet your SOC 1 objectives
• Cross-walk your SOC 1 controls across multiple frameworks to meet report requirements for SOC 2, SOC 3, SOC for Cybersecurity, and SOC for Supply Chain
• If you’re a user entity, get insight into all of your service providers’ SOC controls, all in a single platform
• Quickly identify SOC compliance gaps or issues
• Prepare for and ace your SOC 1 audit

Who Needs SOC 1 Compliance?

Does My Organization Need to be SOC 1 Compliant?

If you’re a user entity and you’ve partnered with service organizations to provide services that could impact your financial statements (for example a loan processor or your payroll company), then you’ll want to ensure they have effective internal controls for financial reporting. Getting a SOC 1 report from your service provider is a great way to do that.

If you’re a service provider and the services you provide could impact your user entity’s financial reporting, then you should get a SOC 1 audit report. Your user entity will use the report as part of their own internal financial process auditing.

In addition to that, the Sarbanes-Oxley Act (SOX) requires all publicly-traded companies that operate in the United States to implement internal procedures for financial reporting. SOX also makes CEOs and CFOs of publicly traded companies responsible for report accuracy and also for ensuring implementation of internal controls, completing financial report documentation, and submitting those documents to the appropriate agencies.

While a SOC report won’t necessarily mean you’re SOX compliant, it is a great way to measure your organization’s internal controls for finances.

If your services don’t impact financial statements, but you process other sensitive data, then you may need to be SOC 2 or SOC 3 compliant.

The Differences Between SOC 1, SOC 2, SOC 3, and Other SOC Reports

According to AICPA, SOC reports help service organizations “build trust and confidence” that the services they perform have effective related controls that an independent third-party CPA has reviewed.

For many years, organizations attested to this by using State on Auditing Standards No. 70 (SAS 70). Also governed by AICPA, CPAs conducted audits based on SAS 70 standards. Eventually, AICPA replaced SAS 70 with Statement on Standards for Attestation Engagements (SSAE) No. 16 and then updated that with some clarifications to SSAE No. 18. The new regulations set attestation standards and require service organizations to provide written attestation about information system design, procedures, and controls, along with information about their effectiveness. This is where SOC reports were born.

SOC reports are not public and are restricted. Because they provide detailed information about controls, they’re considered confidential and generally only reviewed by the service organization, user entity, and CPA auditor. If a service organization refuses to share a SOC report, but a user entity must verify SOC controls, then the user entity may conduct its own control assessment on the service organization. For that reason, it’s common practice for service providers to share SOC reports with their user entities (customers).

SOC 3 reports are different. Because they don’t contain such detailed information, they can be freely distributed. A company, for example, could use SOC 3 report findings in their marketing efforts or share it on a website for transparency. SOC 1 and SOC 2 reports are limited and cannot be shared this way.

Here is a list of the SOC reports that may be applicable to your business:

AICPA has created a three-question guide to help determine which report may be best for your needs. Ask:

For service organizations trying to make decisions between a SOC 2 and SOC 3 report, ask:

SOC 1 Type 1 and SOC 1 Type 2 Reports

AICPA focuses on promoting best practices to help organizations fairly and accurately handle financial reporting and management. SOC reports are an example of this. Each report type has a specific purpose and function. For SOC 1 compliance, there are two report types:

While there is no “certification period” for a SOC 1 report, user entities generally accept a report for the previous year. After that, it’s best practice to undergo an updated assessment to ensure controls are still effective, especially as the service organization’s environment changes.

Understanding SOC 1 Controls

While there is not a specific SOC 1 framework or mandatory SOC 1 controls or sub-controls, AICPA indicates that control objectives should be “reasonable” in circumstances as they relate to assertions commonly used in user entity financial statements and to which the service organization could reasonably be expected to relate.

SOC 1 control objectives are flexible so service organizations can tailor them to the specific services they provide and align with industries served. According to AICPA, in a SOC 1 audit, control objectives are used as criteria to determine if an organization’s controls are “suitably designed and operating effectively.” As related to a user entity’s ICFR, the service organization’s related controls should be:

In general, there are a few recommended control objectives for service organizations:

If a service organization operates within an industry or location that has compliance or other regulatory requirements, they are also expected to meet those standards, which may be reviewed during a SOC compliance audit.

While there is no one-size-fits-all controls checklist for SOC compliance, AICPA encourages organizations to include five key characteristics of their control activities descriptions:

Since SOC 1 Type 2 reports span a specific time period, organizations should also report on any changes that occur to their systems that could affect user entity ICFR during that time.

Another important piece of selecting the right controls for SOC compliance, is the organization’s ability to conduct an accurate risk assessment so it can effectively define control objectives. AICPA offers this guidance on the risk assessment process:

Help Your Service Organizations With SOC 1 Requirements

If you’re a user entity that outsources financial transactions and other related services, you’re responsible for ensuring your service organizations meet your SOC 1 requirements. But not every service organization understands SOC compliance and some may not have the in-house skilled professionals or resources to implement and manage necessary controls.

If you feel the risks introduced by a service provider exceeds your risk threshold and may negatively impact your financial reporting abilities, consider vetting other vendors as replacements.

Another option is to work directly with your service providers to help them understand and implement the appropriate SOC 1 controls. It may also be helpful to include this information in your service level agreements (SLAs).

Here are a few other tips to help your service organizations get ready for a SOC 1 compliance audit:

Preparing for a SOC 1 Audit

While there is not a specific certification for SOC 1 compliance, there are some things you can do in advance to prepare for your SOC 1 report audit.

First, understand the type of SOC report you need. If you’re unsure, review the Differences Between SOC Reports section on this page. To make this determination as a service organization, you may also need to identify all of the user entities that are your customers and understand their SOC requirements. If you’re a user entity, be sure to communicate to all of your service providers the SOC report type you need.

The next step is to define your organization’s systems. AICPA says this written description, which is the responsibility of management, should include:

Once you’ve identified services and controls, map the controls to your control objectives, then test the controls to see if they meet the objectives. If they do not, identify gaps and make plans to address them.

Once you’ve resolved any performance issues, it’s time to select an auditor and begin the engagement process. If you need help, consider using the AICPA’s Firm Search function.

What to Expect During Your SOC 1 Audit

Many companies offer SOC readiness assessments to determine if you’re ready for a SOC 1 audit. During a readiness assessment, your consultant or software solution should give you insight into the processes, controls, and documentation you already have in place, how they’re performing, discover gaps or other issues, and make recommendations to mitigate those issues before your actual CPA audit.

There are also software solutions to help you prepare. Apptega’s Audit Manager, for example, can assess your current controls and sub-controls with a real-time compliance assessment, help you prepare and store all the documentation required for the audit, and enable you to track your audit processes — all within a single platform.

And, if you need more help and want to work with a SOC 1 consultant or need other resources, you can find everything you need in Apptega Edge.

Once you’ve determined you’re ready, it’s time to engage with your auditor. While each auditor's report may vary, here are some common areas auditors will likely address:

• Audit scope
• SOC report type
• Service organization assertions about controls and risk
• System and control descriptions including control objectives, activities, and user entity controls
• Auditor's findings
• Did management accurately describe control objectives?
• Is the design of the controls reasonable to the services provided?
• Which tests did the auditor conduct?
• After testing, did the controls perform as intended?
• Other information (for example, management response to any deficiencies found in the audit or other relevant information such as a business continuity plan)

Once you’ve identified services and controls, map the controls to your control objectives, then test the controls to see if they meet the objectives. If they do not, identify gaps and make plans to address them.

Once you’ve resolved any performance issues, it’s time to select an auditor and begin the engagement process. If you need help, consider using the AICPA’s Firm Search function.

SOC 1 FAQs

Still have a question?

Get in touch with us and we would be happy to help.

Acing Your SOC 1 Audit with Apptega

Apptega has everything you need to prepare you for a SOC 1 report so you’ll have confidence you can ace your audit. If your organization already uses other frameworks and controls, for example, ISO 27001, NIST CSF, or NIST 800-53, you can get instant insight into what you already have in place that might apply to SOC 1 compliance.

You can even build your own SOC 1 framework based on your organization’s specific services, complete with customized controls to ensure you’re meeting your specific control objectives. And if you’re not, you can find recommendations to mitigate weaknesses before your audit.

Here are some of the other ways Apptega can help:

• Questionnaire-based audit assessments
• Automated and customizable reports
• Automated alerts and notifications
• Granular roles and permissions settings
• Document repository
• Ability to share documents and program information directly with your auditor