A System and Organization Control 1 or SOC 1 report is given to a service organization after it demonstrates that it has sufficient internal controls in place to ensure that its client’s financials will not be affected due to its own actions. Clients usually use these reports to demonstrate to their own auditors that they trust the services that you are providing to them and do not expect your actions to impact their business in any way.

The report is generated as per guidelines laid out in the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) for the US and its Canadian equivalent,  Canadian Standard on Assurance Engagements, (CSAE) 3416. By obtaining a report from an auditing agency, you can demonstrate to your client that your internal controls are in place and effective.

The SOC 1 report is made up of two parts, Type I and Type II, each of which delivers a different value to your clients.

SOC 1 Type I

The Type I report is usually issued after a basic audit which includes the description of your company, the services you provide and the controls you have in place for these services on the day of the audit. The auditing agency also comments on the suitability of the controls for the services being provided. Since the Type I report provides no assurances on the effectiveness of internal controls, it does report, if the controls are in place and can be seen as a confidence building measure for your client.

If you are a small company or a startup that wants to engage with big clients, a SOC1 Type I report will be your first stepping stone to convince a big client that you are a company with a system in place and does not run on whims and fancies. To demonstrate how good your systems are, you will need your SOC1 Type II report.

SOC 1 Type II

The Type II report is in a way an extension of the Type I report issued earlier. However, the Type II report is only issued after an assessment of the controls is carried out over a longer period of time, typically six months. So, while you can get a Type I report quickly, the Type II report is what your clients would be really interested in case they have any apprehensions. Typically, once issued, a Type II report can be renewed on an annual basis.

The SOC1 Type II report contains all the details of the tests carried out by the auditor and your organization’s performance in those tests. This assures your clients that you are indeed doing what you claim to be doing and as per the policies you have laid out for your company. By doing so, you are unlikely to risk the finances of the client and they can continue to bank on your services.