Here’s how GBQ can help service organizations understand, prepare, and take action.

What is the SOC 1 Report?

The SOC 1 report shows how financial reporting is controlled at a service organization. It gives information and the opinion of a services auditor about the controls that are important for the internal control over financial reporting of user entities, including the management of the service organization and the independent auditors of user entities’ financial statements.

The framework is not prescriptive for SOC 1, as the control objectives and controls designed to meet those control objectives are unique to each organization. But, here’s some information on how to read and understand a SOC report.

What Are SOC 1 Reports Used For?

SOC 1 reports are appropriate for service organization companies whose users/customers rely upon them for some aspect of their own financial reporting process, such as outsourced payroll processing, investments, billing, payables, collections, etc.

How to Prepare for Your First SOC Examination

Get Ready

  • During this initial step, GBQ will work with you to define the scope and boundaries of the system being audited. Our team will conduct interviews to guide management through the process of identifying and selecting relevant control objectives and controls that meet those objectives. We will then assess if any control gaps need to be remediated and provide guidance in writing a system description (a key element of the SOC report!). This process is very hands-on and is where you will determine what services should be included in the SOC examination. This will also identify weak areas that would benefit from adding or modifying controls. The primary outcome of the readiness phase is your gap assessment, or list of specific action items that need to be addressed before starting your first SOC examination.


  • Following the readiness assessment, time and effort are required to remediate any identified control gaps. Our team can be as involved in the process as you desire. At the very least, we prefer to check in with you regularly through this phase so we can provide you with guidance and input while you work through action items.

Type 1 Report

  • The SOC 1 Type 1 report is a full report including the independent auditor’s opinion, but it is performed as of a specific date and includes only the testing of the design and implementation of controls as of that date. This is the best place to start for first-time SOC candidates because it can be issued as soon as controls are identified to be implemented, much sooner than waiting for a Type 2 period to pass. The Type 1 examination is also a good “dry run” test of the organization’s ability to gather the needed documentation to support the auditing of controls before the specific results of those tests will be included in the report.

Type 2 Report

  • At least six months after your initial SOC 1 Type 1 report, and not more than 12 months after, a SOC 1 Type 2 report can be issued. The primary difference between the Type 2 and Type 1 engagement is that the operating effectiveness of the controls in place over a period of time are tested in a Type 2 engagement through sampling across the entire audit period, and the testing results are presented in the report.

Partner with GBQ

It is required for SOC 1 reports to be completed by an external auditor from a licensed CPA firm. Contact GBQ to get started and learn more about our SOC 1 services.