SOC 1 Report / SSAE 16 / SSAE 18


SOC 1 reports, under the AICPA (American Institute of CPAs) SSAE 16 guidance are designed to provide external parties, such as partners and customers assurance that a company’s internal controls over financial reporting are appropriate and operating effectively. SOC 1 reports replaced the SAS 70 standard. SOC 1 reports are a great way to gain confidence that you’re doing all of the right things. This can help your customers gain trust in you as a service provider.

We have seen from experience that many enterprise companies will not do business with smaller companies or startups that have not completed a SOC 1 or SOC 2 report. Too many small companies “fly by the seat of their pants” and lack the necessary security controls to protect their information. As mentioned above, SOC 1 reports are traditionally reserved for testing controls relevant to the financial reporting process. If your company is not processing financial transactions or used in the chain of financial system processing, a SOC 2 report may be a better fit for you.

closeup photo of

SOC 1 Type I

The SOC 1 Type I is the first report issue issued in when you’re a company providing services that impacts your customer’s financial reporting. The Type I report merely provides a description of your company, the internal control environment, references to your policies and procedures, and an opinion on the suitability and design of the controls in place at the point in time the report was issued. While a SOC 1 Type I is better than no report at all, it provides very little value to your customers/partners because it does not provide an opinion on whether you’re actually following your own policies and procedures. Type I reports are usually just a stepping stone to the much stronger SOC 1 Type II.


SOC 1 Type II

The SOC 1 Type II is typically the second report issued and is much more valuable external parties because it reports on the effectiveness of the controls in your organization. Are you doing what you said you’re doing? Do the policies match the actual operation of your company? Per AICPA guidance, the report must cover a period of time of at least 6 months. The means Type II reports can’t be created in a short period of time. Typically the Type II audit review is scheduled 6-months after issuance of the SOC 1 report. After a SOC 1 Type II report is issued, it is generally renewed on an annual basis.

closeup photo of
Have Questions About SOC 1 / SSAE 18?
Let us help you find out what compliance framework is best for your business.
We respond within 48 hours

We answer all email and requests as they come in. If you have an urgent matter or would like to place an order please click the link below to give us a call.