SOC 1 Readiness
SOC 1 done right.
First time.
If your service affects your customers' financial statements, their external auditors will ask for your SOC 1 report. We build the controls, write the system description, design the CUECs, and prepare you for the CPA firm — so you pass without the guesswork.
SSAE 18 · Type I & Type II · CPA-firm agnostic
6–10 weeks
Fixed-fee project
Financial service orgs
SSAE 18 Type I or II report
Who needs SOC 1?
If your service touches
their financial statements.
The test: do errors or failures in your system create risk of material misstatement in your customers' financial reports? If yes, SOC 1 is what their auditors will ask for.
Payroll processors
Your customers' payroll data flows through your system and directly into their financial statements. Their auditors require evidence that your controls over payroll processing are sound.
Financial SaaS platforms
If your platform processes transactions, manages general ledgers, or handles accounts payable/receivable for customers, their external auditors will ask for your SOC 1 report.
Fund administrators
Hedge funds, private equity, and asset managers whose NAV calculations or investor records flow through your platform face annual audit requirements that include your controls.
Loan servicers & fintechs
Mortgage servicers, loan originators, and payment processors whose systems affect customers' financial reporting balances require SSAE 18 Type II reports.
SOC 1 vs SOC 2
Different standards.
Different audiences.
| Aspect | SOC 1 | SOC 2 |
|---|---|---|
| Standard | SSAE 18 (AT-C 320) | SSAE 18 (AT-C 205) |
| Focus | Controls over financial reporting | Security, availability, confidentiality, privacy |
| Who asks for it | Your customers' external auditors | Enterprise procurement / InfoSec teams |
| Report user | User entities and their auditors | Customer security and compliance teams |
| Issued by | Licensed CPA firm | Licensed CPA firm |
| Type I | Design of controls at a point in time | Design of controls at a point in time |
| Type II | Operating effectiveness over 6–12 months | Operating effectiveness over 6–12 months |
Need both? Many service organizations carry both a SOC 1 (for their customers' auditors) and a SOC 2 (for their customers' InfoSec teams). We can run them sequentially or in parallel. Ask us →
Our process
Five stages.
Report-ready.
Every SOC 1 engagement follows this five-stage process. We own the preparation work end-to-end — you stay focused on your business while we build the report package.
Scoping & system description
We define your service commitments, system description, and the controls you'll include in the report. Getting this right is critical: the system description is what the auditor tests against.
Control matrix design
We map your existing processes to control objectives and design any missing controls. Every control objective needs a corresponding control that operates consistently.
Policy & evidence build
We write the policies and gather evidence for each control. Particular attention to complementary user entity controls (CUECs), which are the controls your customers are expected to have in place.
Internal walkthrough
We test each control against the control objective, identify gaps in evidence, and prepare you for the CPA firm's testing approach.
CPA firm coordination
We brief the issuing CPA firm, handle the initial evidence request, and stay available throughout their testing to respond to questions and clarifications.
FAQ
Common questions.
What is a SOC 1 report?
A SOC 1 report (issued under SSAE 18 AT-C 320) provides independent attestation that a service organization's controls over financial reporting are properly designed (Type I) and operating effectively (Type II). It's the report your customers' external auditors ask for when your service affects their financial statements.
How does SOC 1 differ from SOC 2?
SOC 1 focuses on controls that affect your customers' financial reporting — it's for the customer's auditors. SOC 2 focuses on security, availability, and data protection — it's for the customer's InfoSec and procurement teams. Some organizations need both. The triggering question: does your service flow into your customers' financial statements?
What are CUECs, and why do they matter?
CUECs (Complementary User Entity Controls) are the controls that your customers need to have in place for your controls to function properly. For example: if your system relies on customers providing accurate user access lists, that's a CUEC. We ensure your CUECs are accurately described and reasonable. Misspecified CUECs are a common audit finding.
Who issues the actual SOC 1 report?
A licensed CPA firm issues the report. We are your readiness advisor. We prepare your controls, policies, and evidence package so that when the CPA auditor arrives, you pass without surprises. We can recommend auditors and liaise with them throughout.
Do I need Type I or Type II?
Most customer contracts and audit requirements ask for Type II (operating effectiveness over a period, typically 6–12 months). Type I (point-in-time design assessment) is useful as a first step when you're starting from scratch and need to demonstrate progress quickly. We recommend planning for Type II from the beginning so you don't repeat work.
Ready for
your SOC 1?
Book a scoping call. We'll confirm whether SOC 1 is the right report and send a fixed-fee proposal within 48 hours.