SOC 1 Audit Preparation

Start 4-6 months before you want the CPA's report issued. The first 2 months cover scoping, control design, and evidence-repository setup. The remaining time fills the observation window (for Type II) or lets you remediate gaps found in internal testing (for Type I). Organizations preparing for their first SOC 1 should budget closer to 6 months.

Type I tests whether controls are suitably designed at a single point in time — you need clean documentation and current artifacts but no operating history. Type II tests design plus operating effectiveness over a period (typically 6-12 months), so you must collect evidence continuously throughout the observation window. Type II preparation is more demanding because every control must have a provable track record, not just a snapshot.

You (the service organization) select and engage the CPA firm. The CPA must be independent — they cannot have performed the implementation work. A compliance consultant like Tranquility Cybersecurity helps you prepare, but the attestation opinion comes from the licensed CPA firm. Choose a firm with specific SOC 1 / SSAE 18 experience in your industry, not just general audit capability.

The management assertion is a formal written statement from the service organization's leadership declaring that: (1) the system description fairly presents the system as designed and implemented, (2) controls were suitably designed to achieve the stated control objectives, and (3) for Type II, controls operated effectively throughout the specified period. The CPA's opinion is issued against this assertion — it is not optional.

CUECs (Complementary User Entity Controls) are controls that your user entities must operate for your own controls to be fully effective. Example: your payroll system processes what the client submits, so the client must control the accuracy of employee data they send you. CUECs appear in the SOC 1 report and the user entity's auditor tests them. Undocumented or unrealistic CUECs are a top finding.

If you use a subservice organization (e.g., AWS for hosting, a custodian bank for asset safekeeping), you choose how to address them. The carve-out method excludes the subservice from your scope — you describe the boundary and your CPA does not test their controls. The inclusive method includes them, requiring additional coordination and testing. Most first-time SOC 1 engagements use the carve-out method to reduce complexity.

Auditors sample transaction-processing records (e.g., 25-45 payroll runs or trade confirmations), access-provisioning and removal tickets, change-management records with approvals and test evidence, reconciliation files between subledgers and the general ledger, exception and error-handling logs, and supervisory review sign-offs. For Type II, samples span the entire observation window, not just recent months.

If the CPA identifies an exception during testing, the finding appears in the report — it cannot be "erased" by a mid-audit fix. However, you can include a management response describing the remediation taken and the date it was effective. This is why pre-audit internal testing is critical: find and fix gaps before the CPA arrives so they never become formal exceptions.

SOC 1 focuses on controls relevant to user entities' financial statements (ICFR) under SSAE 18 / AT-C Section 320. SOC 2 focuses on the Trust Services Criteria (security, availability, confidentiality, processing integrity, privacy) under AT-C Section 205. SOC 1 preparation requires mapping every control to a financial-statement impact and drafting control objectives tied to ICFR. SOC 2 preparation maps controls to the common criteria. The evidence-collection mechanics are similar, but the scoping logic is fundamentally different.

During a walkthrough, the CPA traces one end-to-end transaction through your system — from initiation (e.g., a client submits payroll data) through processing (calculations, validations, approvals) to output (pay stubs, tax filings, GL postings). They interview control owners, inspect the artifacts at each step, and may re-execute a calculation. The walkthrough tests design effectiveness and helps the CPA understand the system for their description review. Expect one walkthrough per major process in scope.