SOC 1

E182251

SOC 1 is an auditing standard under the AICPA’s SSAE framework that evaluates the internal controls of service organizations relevant to their clients’ financial reporting.

All labels observed (2)

Label Occurrences
SOC 1 canonical 3
System and Organization Controls 1 1

How this entity was disambiguated

Statements (47)

Predicate Object
instanceOf auditing standard
service organization control report
accessRestrictedTo service organization management
user auditors
user entities
basedOnFramework SSAE
canSupport Sarbanes-Oxley Section 404 compliance
controlCategoriesMayInclude change management
data processing
input, processing, and output controls
logical access
operations
reconciliation and reporting controls
distinguishedBy focus on financial reporting rather than trust services criteria
distinguishedFrom SOC 2
SOC 3
focusesOn controls at service organizations relevant to user entities’ financial reporting
internal controls over financial reporting
fullName SOC 1 self-linksurface differs
surface form: System and Organization Controls 1
geographicUse primarily United States
governedBy AICPA attestation standards
governingBody American Institute of Accountants
surface form: AICPA
hasType Type I
Type II
includes description of tests of controls and results (for Type II)
management’s assertion about controls
management’s description of the service organization’s system
service auditor’s report
predecessorTerminology SAS 70 reports (conceptual predecessor)
primaryObjective evaluate design and operating effectiveness of controls relevant to user entities’ financial reporting
primaryUsers CFOs and controllers at user entities
financial statement auditors of user entities
risk and compliance teams at user entities
relatedStandard SSAE
surface form: SSAE 18
relevantTo service organizations
user auditors
user entities
reportDistribution restricted-use report
reportIssuer independent CPA firm
reportPeriodTypicalLength 6 to 12 months for Type II reports
scope controls likely to be relevant to user entities’ internal control over financial reporting
typeIDescription report on management’s description of a service organization’s system and the suitability of the design of controls as of a specified date
typeIIDescription report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls over a specified period
usedFor compliance with financial reporting requirements
third-party risk management
user auditors’ assessment of risks of material misstatement in financial statements
vendor due diligence

How these facts were elicited

Referenced by (4)

Full triples — surface form annotated when it differs from this entity's canonical label.

Azure supportsComplianceStandard SOC 1
subject surface form: Microsoft Azure
SOC 2 isDifferentFrom SOC 1
SOC 1 fullName SOC 1 self-linksurface differs
this entity surface form: System and Organization Controls 1