SOC 1, pronounced as “sock one” is an acronym that stands for System and Organization Controls 1. A SOC 1 report documents internal controls that are relevant to an audit of a user entity’s financial statements.



With regards to financial reporting, a SOC 1 report conducts an evaluation of service organization controls that invariably apply to a user entity’s internal control over financial reporting. SOC 1 is structured to organize the workload of user entities and the accountants who bear the responsibility of conducting an audit of their financial statements.

The SOC 1 aim is targeted at examining the effectiveness of a service organization’s internal controls.



Basically, there are two type of SOC 1 reports. They include: SOC 1 Type 1, and SOC 1 Type 2.


SOC 1 Type 1

A SOC 1 Type 1 report has to do with the service organization’s system, its suitability, for the intended purpose: (CONTROL OBJECTIVES) and the description bearing a specified date. Access to these reports are restricted to members of the service organization i.e. auditors, user entities, and managers.


SOC 1 Type 2

A SOC 1 Type 2 report goes a step further from just analysis and opinions, to actually reporting on whether or not the established controls have been able to achieve all control objectives over a given period of time. A SOC 1 Type 2 report provides insight geared towards addressing potential risks that internal controls intend to mitigate.

Owing to the fact that users of the system are prone to potential risks, the auditor seeks to identify control objectives that can address such risks squarely.

Such control objectives do not operate in isolation, but are joined to other controls within any given process. The aim is to ensure the effectiveness of the control objectives.



Often times, many business enterprises do rely on the controls of a service organization in order to achieve effective control over the process that covers their financial reporting. Such forms firms will usually request to see their SOC 1 so as to have a knowledge of their operating effectiveness. Recall that the aim of a SOC 1 audit is to determine the effectiveness of an organization’s internal controls regarding financial reporting. A SOC report is very useful to financial statement auditors who seek to minimize the audit processes.

The SOC 1 report was previously known as Statements on auditing standards No.70. A SOC 1 report also helps service organizations in confirming the security and protection of all data and systems.



Businesses are beginning to demand to see a SOC 1 report as its usefulness cannot be overemphasized. Many businesses depend on the controls at a service organization to achieve control over the financial reporting process, and SOC 1 reports provide the required evidence of the operating effectiveness. A SOC 1 audit is designed to determine and ascertain the effectiveness of internal controls within a firm while at the same time providing feedback that can be acted upon.

It achieves this and more by establishing control over objectives that is within the SOC 1 process area, while noting internal controls that are relevant to the audit of a user entity’s financial statement.