What is SOC 1 compliance?

Close up of team members reviewing a financial report

Defined by the AICPA as the first part of the Service Organization Control series, SOC 1 addresses internal controls around financial reporting. SOC 1, 2, and 3 all follow the Statement on Standards for Attestation Engagements (SSAE 18).

While less applicable than its second and third counterparts, SOC 1 applies to businesses (known as a service organizations) that directly interact with financial information for customers or partners.

SOC 1 for financial reporting

SOC 1 compliance secures a service organization’s interaction, transmission, or storage of users’ financial statements. SOC 1 reports help service organizations build customer trust and reduce the risk of fraud or financial misstatements. Specifically, a SOC 1 report helps management, investors, auditors, and customers evaluate internal controls over financial reporting within guidelines laid out by the AICPA.

When and why does my service organization need a report?

As with most information security frameworks, SOC 1 compliance becomes important to your business when a prospect or customer asks to see your report. This will likely happen if you manage financial data or handle financial reporting for users, like payroll, stock options, retirement plans, and more.

Often, larger enterprises require their vendors to be compliant for the enterprise to pass their own audits. Similarly, you may need to ensure that your vendors are compliant if they are exposed to any user financial reports.

What is the difference between SOC 1 vs. SOC 2?

While SOC 1 reports focus on financial reporting and a an organization’s internal controls, SOC 2 reports evaluate the effectiveness of a company’s security, confidentiality, and privacy controls. 

SOC 2 reports are more relevant for organizations that process sensitive or confidential data, such as HealthTech companies or financial institutions. SOC 2 reports can also help organizations demonstrate compliance with HIPAA, GDPR, or PCI DSS regulations.

SOC 2 for startups, Thoropass University
Continued reading
Learn the difference between SOC 1 and SOC 2
SOC 2 vs SOC 1 icon-arrow-long

How a service organization can achieve SOC 1 compliance

Like other SOC frameworks, getting compliant with SOC 1 involves scoping the program and a gap analysis of existing and missing controls. Any missing controls should be implemented, a risk assessment needs to be executed, and finally, an official audit by a licensed public accountant.

Unlike other SOC frameworks, first, you’ll need to choose an auditor. The auditor helps identify control objectives and supporting control activities based on your system and the maturity of your product. Typically, there are three categories for control objectives. The same firm that identified appropriate controls can audit your control objectives and controls activities.

The SOC 1 compliance process looks like this:

  1. Choose an auditor
  2. Help the auditor understand your product and how it interacts with or impacts financial systems
  3. Define control objectives and supporting control activities
  4. Implement control activities, based on specific control objectives
  5. Review and assess risk

SOC 1 compliance through achieving control objectives

To become SOC 1 compliant, service organizations must follow specific control objectives and control activities outlined in the AICPA’s SOC 1 framework. 

The framework outlines five categories of objectives for internal controls that a service organization must address: control environment, risk assessment, control activities, information and communication, and monitoring. 

Within those control categories are internal controls themselves. These include access controls, change management, backup and recovery, and disaster recovery planning.

Control environment

The control environment objective evaluates the service organization’s overall control environment, including the tone at the top, the organization’s integrity and ethical values, and the commitment to competence. The control environment provides the foundation for all other control objectives.

Risk assessment 

The risk assessment objective evaluates the service organization’s processes for identifying and assessing the risks that could affect the reliability of financial reporting. This includes evaluating the design and implementation of internal controls to mitigate identified risks.

Control activities 

The control activities objective evaluates the specific control activities in place to prevent or detect financial misstatements. Control activities can include policies and procedures related to access controls, segregation of duties, and monitoring and reporting of financial transactions.

Information and communication

The information and communication objective evaluates the accuracy, completeness, and timely reporting of financial information. This includes an evaluation of the service organization’s systems for capturing, processing, and reporting financial information.


The monitoring objective evaluates the service organization’s ongoing monitoring of its controls to ensure their effectiveness over time. This includes an evaluation of the service organization’s processes for identifying control deficiencies and taking corrective action when necessary.

Auditing SOC 1

Where applicable, Thoropass standardizes control objectives and control activities across multiple frameworks. That means that we try to borrow the best control objectives from SOC 2 to fulfill control objectives for SOC 1. This helps save time, avoid confusion, and get your organization closer to full compliance in one swoop.

SOC 1 attestation can only be performed by independent, third-party auditors who meet specific qualifications outlined by the AICPA. These auditors must have the appropriate experience and training to perform the attestation, and they must follow specific guidelines for conducting the assessment. It’s important to choose a reputable auditor who has experience working with your industry and the type of service you provide.

Type 1

Businesses pursuing SOC 1 compliance typically start with a Type 1 report. Type 1 reports examines the design of your compliance program at a certain point in time. This includes any policies you have in place to protect your data, information security procedures, and any additional evidence that your compliance program is functional.

Type 2

SOC 1 Type 2 reports examine the security of your financial controls over a specified period of time, typically 9-12 months. The report includes an evaluation of the controls and corresponding evidence. It needs an annual re-evaluation to maintain compliance.

What goes into a SOC 1 report?

SOC 1 frameworks must be audited by a certified public accountant from a third-party entity. While we recommend an experienced SOC auditor examining your compliance program, you can leverage any CPA.

The timeframe for an audit is and dependent on the size of your organization and the scope of the program. Type 2 must be evaluated over a period of time to determine control effectiveness. You’ll need at least 6 months of evidence after implementation to get your Type 2.

This post was originally published on July 9, 2021 and updated for content and clarity.

Share this post with your network: