SOC 1 Business Process Control Audits and Compliance

Learn why Top Industry Analysts consistently name Okta and Auth0 as the Identity Leader

When you handle customer financial data, trust is critical. A SOC 1 report helps you demonstrate that you have controls in place to protect this data.

The acronym SOC stands for “service organization control.” Prepare for many, many acronyms and unusual terms in SOC 1 reports. These are technical documents, and the language used to discuss them reflects that complexity.

What is a SOC 1 report?

A SOC 1 report details how your organization protects client financial data. You'll use reports like this to validate your commitment to your current and potential customers.

SOC reports were designed, in part, by the AICPA. The organization says two types of SOC 1 reports exist (Type 1 and Type 2). Both require an organization to detail how they secure client data. Only Type 2 SOC 1 reports look over the operating effectiveness of those plans. 

What is SOC 1 used for?

Every day, you and your staff follow protocols regarding client data. You do all you can to ensure you don't change or otherwise invalidate that information. SOC 1 reports help you audit those plans and prove you're doing what you say you will do. 

SOC 1 audits look over so-called "controls." These may apply to:

  • Programs. Do the tools you use protect information?
  • Data. Do your workflows allow changing of critical information?
  • Resources. Do the computers, servers, and other pieces of equipment you use protect data? 

An auditor may look over the physical pieces of your organization. The auditor may also look over the processes, permissions, and passwords that protect information. The auditor doesn’t have to prove that everything is watertight. Instead, they will simply try to prove or disprove that you’re keeping the promises made in your report. 

Are SOC 1 reports mandatory?

Some industries are under regulatory or legal pressure to create SOC reports, including:

  • Medical: Does your company process medical claims for customers?
  • Financial: Do you service loans for your customers? Do you process payroll? Any financial data could be subject to a SOC 1 report.
  • Data: Do you store information for customers? Do you offer software that could alter financial information?

The ability to "write" information is important here. If you can only see information but never change it, you may not need a SOC 1 report. But if you have the ability and authority to make a mistake when you alter data, a report could be critical. If you can change data, your company is technically a “SOC 1 service organization,” and potential customers may demand to see a report before doing business with you. 

Understanding SOC 1 audits

Hire a CPA firm that specializes in IT audits to handle your SOC 1 audit. It's not advised to complete the hard work yourself. You'll need an expert to walk through the process with you.

As part of the process, you'll create attestation reports that detail everything you do to protect client data. You'll also give access to both your facility and your staff. Your firm will take the work from there. Expect the process to take weeks, if not months.

The final report is typically good for a full 12 months, but some last for longer or shorter time periods. Ask your CPA firm how long yours will last before you get started.

As part of your audit, you may learn that poor authentication puts client data at risk. Find out about five identity attacks that exploit broken authentication on our blog.  


SOC for Service Organizations: Information for Service Organizations. AICPA.