What is a SOC 1 Report? Expert Advice You Need to Know

At Linford and Company, we hear this question all the time, “what is a SOC 1 report?” For decades there has been a trend in outsourcing certain aspects of running organizations to other organizations. The value proposition for an organization is simple, organizations can focus on what they do best and leave some of the other details required to run their organization up to other organizations (in CPA jargon these are called service organizations). A SOC 1 (f. SSAE 16) Report (Service Organization Controls Report) is a report on controls at a service organization which are relevant to user entities’ internal control over financial reporting.

Who Needs a SOC 1 Report? Example: Service Organization (Payroll Processing)

An example of a service organization that may need a SOC 1 report is a company that provides payroll processing services to user entities. User entities that use the payroll processing company realize the material impact of payroll on their financial statements and request some independent assurance that their payroll is being handled in accordance with their expectations. A SOC 1 report provides user entities of the payroll processing company reasonable assurance that the internal controls of the payroll processing company are suitably designed (Type I report) or suitably designed and operating effectively (Type II report) to provide the payroll services.

Who is Required to Have a SOC 1 Report

There are numerous service organizations that may receive SOC 1 reports. The common theme between the service organizations should be the potential impact on user entities’ internal controls over financial reporting (ICFR). Some examples of organizations who may receive SOC 1 reports include:

  • Payroll processors
  • Medical claims processors
  • Loan servicing companies
  • Data center companies
  • Software-as-a-Service (SaaS) companies that may impact the financials of their user entities.

Type 1 or Type 2 Report

SOC 1 reports can be Type 1 (aka Type I) or Type 2 (aka Type II) reports.

Type 1 reports are as of a particular date (sometimes referred to as point-in-time reports) that include a description of a service organization’s system as well as tests to help determine whether a service organization’s controls are designed appropriately. Type 1 reports test the design of a service organization’s controls, but not the operating effectiveness.

Type 2 reports cover a period of time (usually 12 months), include a description of the service organization’s system, and test the design and operating effectiveness of key internal controls over a period of time.

SOC 1 Timeline – SAS 70 → SSAE 16 → SSAE 18

Between 1993 and 2011, the SOC 1 report was known as a SAS 70 report. Then in June 2011, the name was changed by the American Institute of CPAs (AICPA) Auditing Standards Board (ASB) when they issued the Statement on Standards for Attestation Engagements (SSAE) No. 16 which provides guidance for CPA firms to report on controls at service organizations. The intent of the SSAE 16 or SOC 1 report is the same as when it was SAS 70; to provide user organizations reasonable assurance that controls at their service organizations, relevant to their internal controls over financial reporting (ICFR) are suitably designed and operating effectively.

In 2017, the AICPA issued SSAE 18 which recodifies all previous attestation standards (including SSAE 16). SSAE 18 took effect on May 1, 2017.

Restricted Use Reports

Because SOC 1 reports may contain sensitive information about service organizations, they are considered restricted use reports and should only be shared with management of the service organization (the company who has the SOC 1 performed), user entities of the service organization (the service organization’s clients) and the user entities’ financial auditors (user auditors). The report can assist the user entities’ financial auditors with laws and regulations like the Sarbanes–Oxley Act.

When is a SOC 1 Report Required?

Most of the time your clients will let you know when a SOC 1 or other SOC report is required. Let’s be honest, no one likes to go through an audit. Also, the fees for SOC audits are not insignificant, so ensuring your clients/user entities need the report is a good way to know whether a SOC 1 is the right report for your company. SOC 1 reports can also be a good way to differentiate the services provided to your clients vs. those provided by a competitor without a SOC 1 report.

The abundance of information security questionnaires sent by user entities is enough to drive many companies to obtain a SOC 1 report to answer many of the common questions. Some individuals at service organizations spend a significant portion of their time answering questionnaires with slightly different questions. A SOC 1 report may sometimes be provided in lieu of answering certain sections of the due diligence questionnaires.

SOC 1 Report Structure

The Opinion Letter (SOC 1 Qualified Opinion vs. Unqualified)

The first section contains the opinion letter (aka Independent Auditor’s Report). The opinion letter outlines the scope of the report (services included), test period (Type 2), or report as-of-date (Type 1) and type of opinion being issued. See recent blog post on qualified report opinions.

Management’s Assertion

The second section contains an assertion written by management of the service organization that makes a number of management statements including the following: 1) An assertion that the description of the system fairly presents the system, 2) The control objectives were suitably designed (Type 1) or suitably designed and operating effectively (Type 2), and 3) Discussion of the criteria used to make the assertion.

Description of the System

The description of a service organization’s system is a description of the services provided that are relevant to user entities ICFR. The description includes the supporting processes, policies, procedures, personnel, and operational activities that constitute the service organization’s services that are relevant to user entities.

Description of Tests of Controls and Results of Testing

This is the section that a SOC auditor uses to describe the controls that were tested as part of the examination, the test procedures used for testing the controls and the results of testing. When reviewing a SOC 1 report, the opinion and the results of testing sections contain the key information necessary to determine whether a service organization’s system of internal controls is suitably designed and operating effectively to provide the services.

Other Information

Some SOC 1 reports include a section used by service organizations to provide additional information about relevant processes that were not tested within the report such as disaster recovery and business continuity information. The SOC auditor will not express an opinion on the statements made by management within this section.

SOC 1 vs. SOC 2 vs. SOC 3 Reports

We have prospective clients that struggle whether the should get a SOC 1, SOC 2, or SOC 3 report all of the time. We normally start by asking these prospective clients about the type of user entities asking for the report as well as the type of services they provide to their clients. This allows us to assess whether there may be an impact to the ICFR of prospective clients’ user entities. See a recent blog posts on choosing between SOC 1 vs. SOC 2 vs. SOC 3.


In this blog post we described what a SOC 1 report is, the types of service organizations that might need a SOC 1 report, differences between Type 1 and Type 2 reports, restricted use reports, when a SOC 1 report might be required, the structure of a SOC 1 report, and differences between SOC reports.

If you would like to discuss SOC audits more in depth, please review our SOC 1 audit page and contact us so that we can help your organization or business with your auditing needs.

17 thoughts on “What is a SOC 1 Report? Expert Advice You Need to Know

  1. A crystal clear explanation of SOC 1. Would love to see the same article for SOC 2. Would you please write one if there is not one yet?

    Thank you much.

  2. Its a common misconception that users are entitled to Full SOC Reports. If you do not want the security of your company compromised the SOC Reports don’t give it out. The SOC should be given only to other SOC rated companies with a strict NDA demanding that the SOC be reviewed only by the person signing the NDA, never put on a network, and then destroyed. Better yet, the user should rely on the SOC Summary or SOC 3 which do not contain company security protocols.

  3. If an entity has already obtained SOC2 Report and one of its clients asks for a SOC1 Report, whether the entity can show SOC2 Report to the client or it has to obtain SOC1 Report separately?

  4. Try showing them your SOC 2 report. If they object and still want a SOC 1 report, it may prove useful to ask them what risks to the services you are providing them are not covered in the SOC 1 report. This is one way to tell if they really know what to look for within a SOC 1 report. Hope this helps.

  5. Great SOC1 overview.

    In this connected environment is a SOC1 requirement to have a remote site other than your DRS site?

    Most workers will return home in a disaster not risk crossing a bridge to get to an alternative site. BCP go home while IT recovers?

  6. Having a remote disaster recovery site is not a SOC 1 requirement. However, having such a site could be a requirement of your service agreement with your clients (ie, user organizations) or an important part of the service you as a service provider are performing for your clients.

  7. I disagree with the comment about having only the single reviewer signing an NDA to review a SOC report. We have a global company and our business unit managers often source SaaS and PaaS – and we require service orgs to have SOC reports as part of our procurement review process. However, the business unit manager, not the IT Security and Compliance manager, will sign the final contract. Most business unit managers do not know what good IT security and compliance controls are – it’s not their field of expertise – but it is mine as an IT sec/comp lead in our company. Our company always signs Mutual NDAs before we even start an RFP, so it would be pointless to sign another NDA just to review the SOC report. We not only require SOCs of the main service org but of their subservice providers as well – difficult to demand NDAs of everyone down the chain.

  8. Thank you for the informative article. My issue is that we are the auditors for the Health Fund of a small Union (about 30 companies with 100 employees) with total health insurance claims of about $1.3 million. At the beginning of 2017, they switched their eye and dental coverage to Guardian, with a cost of about $70,000 in 2017. I requested a SOC-1 report from Guardian but they replied that they were not required to perform an SSAE 18 review “due to the fact that the insurance industry is highly regulated by state departments of insurance, who closely monitor the solvency and market conduct practices of insurance companies.”

    All well and good, but does that mean that my firm is now “on the hook” to perform an audit of Guardian’s controls? What options do we have? Thanks!

  9. The audit considerations that you take with Guardian is dependent your financial statement audit approach and whether you are performing an integrated audit or not. If your financial statement audit approach dictates that you are required to place reliance on Guardian’s internal control environment, then you have a couple options: 1) They provide you with a SOC report that covers the services you are placing reliance on and a reporting period that has sufficient coverage or 2) you go out to Guardian to perform an audit of their controls as you noted. In any case, talk to the engagement partner to develop the course of action to take during the audit planning meeting.

  10. Hi RK, a SOC examination must be performed by a licensed CPA firm. You should also ensure that your SOC auditors have IT audit experience and the requisite technical knowledge to perform the examination.

  11. Hi RK, an external auditor must perform a SOC examination and the external auditor must be a part of a public accounting (CPA) firm. Internal auditors may not issue SOC reports.

Leave a Reply

Your email address will not be published. Required fields are marked *