What is SOC 1 compliance?

Close up of team members reviewing a financial report

Defined by the AICPA as the first part of the Service Organization Control series, SOC 1 addresses internal controls around financial reporting. SOC 1, 2, and 3 all follow the Statement on Standards for Attestation Engagements (SSAE 18).

While less applicable than its second and third counterparts, SOC 1 applies to businesses (known as service organizations) that directly interact with financial information for customers or business partners, emphasizing the importance of protecting the financial data of both these groups.

SOC 1 for financial reporting

SOC 1 compliance secures a service organization’s interaction, transmission, or storage of users’ financial statements. By focusing on the effectiveness of a service organization’s internal control, SOC 1 reports play a crucial role in evaluating internal controls over financial reporting, particularly in assessing control objectives and the effectiveness of internal controls in ensuring logical and physical access to programs, data, and computer resources. 

This helps service organizations build customer trust and reduce the risk of fraud or financial misstatements. Specifically, a SOC 1 report aids management, investors, auditors, and customers in evaluating internal controls over financial reporting within guidelines laid out by the AICPA.

When and why does my service organization need a report?

As with most information security frameworks, SOC 1 compliance becomes important to your business when a prospect or customer asks to see your report. This will likely happen if you manage financial data or handle financial reporting for users, like payroll, stock options, retirement plans, and more. 

Protecting client data is crucial in this context, as it involves accessing and safeguarding the financial information and statements of customers, which directly impacts the evaluation of internal controls over financial reporting and assures publicly traded clients about the security of their data.

Often, larger enterprises require their vendors to be compliant for the enterprise to pass their own audits. Similarly, you may need to ensure that your vendors are compliant if they are exposed to any user financial reports.

What is the difference between SOC 1 vs. SOC 2?

While SOC 1 reports focus on financial reporting and an organization’s internal controls, SOC 2 reports evaluate the effectiveness of a company’s security, confidentiality, and privacy controls. 

SOC 2 reports are more relevant for organizations that process sensitive or confidential data, such as HealthTech companies or financial institutions. SOC 2 reports can also help organizations demonstrate compliance with HIPAA, GDPR, or PCI DSS regulations.

Recommended reading
SOC 2 vs SOC 1

At a crossroads? Decipher if SOC 2 or SOC 1 is the next chapter in your compliance story.

SOC 2 vs SOC 1 icon-arrow-long

How a service organization can achieve SOC 1 compliance

Like other SOC frameworks, getting compliant with SOC 1 involves scoping the program and a gap analysis of existing and missing controls, including both IT general controls and business process controls. These controls are essential for demonstrating reasonable assurance with the control objectives in a SOC 1 report. Any missing controls, particularly business process controls alongside IT general controls, should be implemented, a risk assessment needs to be executed, and finally, an official audit by a licensed public accountant.

Unlike other SOC frameworks, first, you’ll need to choose an auditor. The auditor helps identify control objectives and supporting control activities based on your system and the maturity of your product. Typically, there are three categories for control objectives. The same firm that identified appropriate controls can audit your control objectives and control activities.

The SOC 1 compliance process looks like this:

  1. Choose an auditor
  2. Help the auditor understand your product and how it interacts with or impacts financial systems
  3. Define control objectives and supporting control activities
  4. Implement control activities, based on specific control objectives
  5. Review and assess risk

SOC 1 compliance through achieving control objectives

To become SOC 1 compliant, service organizations must follow specific control objectives and control activities outlined in the AICPA’s SOC 1 framework. The control objective statement plays a crucial role in defining the aim of controls within this framework, focusing on addressing the risks that controls are intended to mitigate and ensuring that controls support the objectives within a given process.

The framework outlines five categories of objectives for internal controls that a service organization must address: control environment, risk assessment, control activities, information and communication, and monitoring.

Within those control categories are internal controls themselves. These include access controls, change management, backup and recovery, and disaster recovery planning. Ensuring the operating effectiveness of these controls over time is essential for maintaining SOC 1 compliance.

Control environment

The control environment objective evaluates the service organization’s overall control environment, including the tone at the top, the organization’s integrity and ethical values, and the commitment to competence. The control environment provides the foundation for all other control objectives.

Risk assessment 

The risk assessment objective evaluates the service organization’s processes for identifying and assessing the risks that could affect the reliability of financial reporting. This includes evaluating the design and implementation of internal controls to mitigate identified risks.

Control activities 

The control activities objective evaluates the specific control activities in place to prevent or detect financial misstatements. Control activities can include policies and procedures related to access controls, segregation of duties, and monitoring and reporting of financial transactions.

Information and communication

The information and communication objective evaluates the accuracy, completeness, and timely reporting of financial information. This includes an evaluation of the service organization’s systems for capturing, processing, and reporting financial information.


The monitoring objective evaluates the service organization’s ongoing monitoring of its controls to ensure their effectiveness over time. This includes an evaluation of the service organization’s processes for identifying control deficiencies and taking corrective action when necessary.

Auditing SOC 1

Where applicable, Thoropass standardizes control objectives and control activities across multiple frameworks. That means that we try to borrow the best control objectives from SOC 2 to fulfill control objectives for SOC 1. This helps save time, avoid confusion, and get your organization closer to full compliance in one swoop.

SOC 1 attestation focuses on evaluating and reporting on the effectiveness of an organization’s internal controls and specifically, a service organization’s internal controls over financial reporting. This type of attestation can only be performed by independent, third-party auditors who meet specific qualifications outlined by the AICPA. 

These auditors must have the appropriate experience and training to assess the effectiveness of a service organization’s internal controls, ensuring they are designed and operating effectively to achieve the objectives related to financial reporting. It’s crucial to select a reputable auditor with experience in your industry and the type of service you provide, as they play a key role in evaluating these controls and providing assurance to clients and auditors regarding their effectiveness.

Type 1

Businesses pursuing SOC 1 compliance typically start with a Type 1 report. Type 1 reports examine the design of your compliance program at a certain point in time. This includes any policies you have in place to protect your data, information security procedures, and any additional evidence that your compliance program is functional.

Type 2

SOC 1 Type 2 reports examine the security of your financial controls over a specified period of time, typically 9-12 months. The report includes an evaluation of the controls and corresponding evidence. It needs an annual re-evaluation to maintain compliance.

What goes into a SOC 1 report?

SOC 1 frameworks must be audited by a certified public accountant from a third-party entity. While we recommend an experienced SOC auditor examining your compliance program, you can leverage any CPA.

The timeframe for an audit is dependent on the size of your organization and the scope of the program. Type 2 must be evaluated over a period of time to determine control effectiveness. You’ll need at least 6 months of evidence after implementation to get your Type 2.

SOC 1 vs. SOC 2: What’s the difference?

Depending on your business, you may end up pursuing SOC 1 and SOC 2 compliance. Learn more about the difference at Thoropass University.

Note: This blog post was originally published in March 2023 but was reviewed and updated by internal SMEs on May 10, 2024

Share this post with your network: