Your Complete Guide to
SOC 1 & ICFR Controls

A SOC 1 report (formally a SOC 1 Type 1 or Type 2 examination) evaluates controls at a service organization that are relevant to user entities’ internal control over financial reporting (ICFR). You need a SOC 1 if your organization processes transactions, holds assets, or generates data that feeds into your clients’ financial statements. Common examples include payroll processors, payment gateways, loan servicers, fund administrators, and banking-as-a-service platforms.

A SOC 1 Type 1 report evaluates whether controls are suitably designed to achieve their stated objectives at a specific point in time. A SOC 1 Type 2 report evaluates both the design suitability and operating effectiveness of those controls over a review period, typically 6–12 months. Type 2 reports carry significantly more weight because they demonstrate controls actually worked consistently, not just that they existed on paper.

In the United States, SOC 1 examinations are conducted under SSAE 18 (Statement on Standards for Attestation Engagements No. 18), specifically AT-C Section 320 — Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting. Internationally, the equivalent standard is ISAE 3402 issued by the International Auditing and Assurance Standards Board (IAASB).

Only an independent licensed CPA firm can perform the examination and issue a SOC 1 report. Consultants like Tranquility Cybersecurity handle the readiness work — scoping control objectives, designing and documenting controls, building evidence packages, and coordinating with the CPA firm — but the attestation opinion itself must come from an independent auditor with no involvement in the implementation.

SOC 1 focuses exclusively on controls relevant to user entities’ financial reporting (ICFR), governed by SSAE 18 AT-C 320. SOC 2 focuses on controls related to security, availability, confidentiality, processing integrity, and privacy, governed by AT-C 205 against the AICPA’s Trust Service Criteria. A payroll processor or payment gateway typically needs SOC 1 because their services directly affect clients’ financial statements. A SaaS platform storing customer data typically needs SOC 2. Some organizations need both.

CUECs are controls that the service organization assumes its user entities (clients) have in place for the overall control environment to function properly. For example, a payroll processor may assume the client performs periodic reconciliation of payroll reports to their general ledger. CUECs are disclosed in the SOC 1 report, and the user entity’s auditor evaluates whether the client has actually implemented them.

Expect 4–6 months for a Type 1 report (scoping, control design, remediation, and CPA fieldwork) and 9–14 months for a Type 2 report (which adds a 6–12 month review period during which controls must operate effectively). Organizations that already have mature financial controls or an existing SOC 2 program can often compress the readiness phase to 6–8 weeks.

When a service organization outsources part of its services to a subservice organization, the SOC 1 report must address this. Under the inclusive method, the subservice organization’s controls are included in the scope and tested as part of the examination. Under the carve-out method, the subservice organization’s controls are excluded from the examination scope, but the report describes the functions performed by the subservice organization and the controls the service organization applies to monitor it. Most organizations use the carve-out method because it does not require the subservice organization’s cooperation during the examination.