What is SOC 1?
SOC 1 (System and Organisation Controls 1) is an auditing standard developed by the AICPA that focuses on internal controls relevant to user entities’ financial reporting. It is designed for service organisations whose services could affect the financial statements of their customers — such as payroll processors, data centres hosting financial applications, loan servicers and financial transaction processors.
SOC 1 replaced the older SAS 70 standard in 2011 and is governed by SSAE 18 (Statement on Standards for Attestation Engagements No. 18), issued in 2017. It is the primary standard used when a service organisation’s controls are relevant to its customers’ financial statement audits.
| Standard Body | AICPA — American Institute of Certified Public Accountants |
| Governing standard | SSAE 18 (2017) |
| Mandatory or Voluntary | Voluntary — but required by many enterprise customers and their auditors |
| Geography | USA — widely accepted internationally |
| Official Resource | aicpa.org |
SOC 1 Type I vs Type II
| Type | What it covers | Assurance level |
|---|---|---|
| Type I | Controls are suitably designed at a specific point in time | Lower — point-in-time snapshot only |
| Type II | Controls are suitably designed AND operating effectively over a period (typically 6–12 months) | Higher — proves controls worked throughout the period |
SOC 1 vs SOC 2
| Standard | Focus | Used by |
|---|---|---|
| SOC 1 | Internal controls over financial reporting (ICFR) — relevant to customers’ financial statement audits | Payroll processors, financial data centres, loan servicers, financial transaction processors |
| SOC 2 | Security, availability, processing integrity, confidentiality and privacy — Trust Services Criteria | SaaS, cloud providers, managed service providers — any organisation storing customer data |
Securitora Assessment
SOC 1 Type II is essential for any service organisation whose services impact their customers’ financial reporting. The key distinction from SOC 2 is the focus on financial controls rather than information security controls — many financial services organisations require both. If your organisation processes financial transactions, manages payroll, or hosts financial applications for other companies, a SOC 1 report is likely a procurement requirement from your customers’ external auditors.
| Recommended for | Payroll processors, financial data centres, loan servicers, financial transaction processors |
| Difficulty to implement | Medium — well-defined scope but requires financial controls expertise and external auditor |
| Best used with | SOC 2 Type II · SOX · COSO |
| Official resource | aicpa.org → |