AuditXYZ

Compliance Framework

SOC 1 (SSAE 18) — Report on Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting

SOC 1 (SSAE 18) examines controls at service organizations relevant to financial reporting. Learn when you need a SOC 1 report versus SOC 2 and what the audit involves.

$30,000–$200,0003–9 monthsAudit RequiredSSAE 18 (2017)
Request a ConsultationSee process
Issuing BodyAmerican Institute of Certified Public Accountants (AICPA)
First Published2011-06-15
Latest VersionSSAE 18 (2017)
Typical Cost$30,000–$200,000
Typical Timeline3–9 months
Audit RequiredYes
Audit FrequencyAnnual Type II reports covering a 6-12 month observation period
Geographyunited-states, canada, global

SOC 1: Guide to Financial Reporting Controls

SOC 1 reports, governed by SSAE 18 (Statement on Standards for Attestation Engagements No. 18), examine the internal controls at a service organization that are relevant to their client's financial reporting. If your service affects your customers' financial statements, SOC 1 is likely the right report.

What SOC 1 Covers

Unlike SOC 2 which focuses on security, availability, and processing integrity broadly, SOC 1 is specifically concerned with controls that could impact a user entity's financial reporting. This includes transaction processing controls, data integrity safeguards, IT general controls, logical access restrictions, and change management for systems that process financial data.

The scope is tailored to each organization — you define the services, systems, and controls relevant to your customers' financial reporting, and the auditor tests those controls.

Type I vs. Type II

  • Type I — Evaluates the design of controls at a specific point in time. Useful as a first step or when time is limited.
  • Type II — Evaluates both the design and operating effectiveness of controls over a period (typically 6 to 12 months). This is what most customers require.

Who Needs SOC 1

SOC 1 is essential for service organizations whose activities impact client financial reporting. Common examples include payroll processors, payment processors, loan servicing companies, claims administrators, data center hosting providers for financial applications, and SaaS companies that process financial transactions.

If your customers' auditors ask about your controls over financial reporting, you need a SOC 1 report. If their questions center on data security and availability more broadly, SOC 2 may be more appropriate.

Audit Process

  1. Scope definition — Identify services and controls relevant to client financial reporting
  2. Readiness assessment — Evaluate current control design and effectiveness
  3. Remediation — Address gaps identified during readiness
  4. Observation period — For Type II, operate controls for 6-12 months
  5. CPA audit — Independent CPA firm tests controls and issues the report
  6. Report delivery — Share the report with customers under NDA

Cost Drivers

The largest cost components are CPA firm audit fees and internal staff time. Organizations with complex processing environments, multiple service lines, or numerous ITGC controls should expect costs toward the higher end of the range.

Get the SOC 1 starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

soc-2soc-3cosoiso-27001

Get matched with a SOC 1 auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

COSO
Framework
COSO Internal Control - Integrated Framework is the standard for designing and evaluating internal controls, especially for SOX compliance. Learn its five components and 17 principles.
View
ISO 27001
Framework
ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.
View
SOC 2
Framework
SOC 2 is the leading security compliance framework for SaaS companies selling to US enterprises. This guide covers Type I vs Type II, trust service criteria, costs, and the audit process.
View
SOC 3
Framework
SOC 3 is the publicly shareable version of SOC 2, providing a general-use trust services report. Learn when SOC 3 adds value and how it differs from SOC 2.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View