What is the difference between SOC 1 and SOC 2?

SOC 1 covers controls relevant to your customers' financial reporting (ICFR); SOC 2 covers the Trust Services Criteria (security, availability, confidentiality, processing integrity, privacy). Customers' finance auditors ask for SOC 1; their security teams ask for SOC 2. Many service organizations need both — and much of the underlying control work overlaps.

Do I need SOC 1 Type I or Type II?

Type I is a point-in-time design assessment; Type II covers operating effectiveness over a period (typically 6–12 months) and is what user auditors generally rely on. Most organizations do a Type I first, then move to an annual Type II cycle.

Can I reuse my SOC 2 work for SOC 1?

Substantially, yes — ITGCs (access, change, operations) overlap heavily. Our cross-framework mapping shows exactly which existing controls satisfy SOC 1 control objectives, so you test once and report twice.

Framework · Compliance Enablers

SOC1

Financial Controls Attestation, Without the Spreadsheet Maze

SOC 1 (SSAE 18) attests the controls at your service organization that affect your customers' financial reporting. Manage ITGC domains, control testing, and evidence on the same platform that runs your SOC 2 — most of the work overlaps.

Who needs it: Service organizations whose systems affect customer financial reporting: payroll processors, fund administrators, fintech platforms, claims processors, SaaS billing systems.

Start Free Trial

Book a Demo

SSAE 18

Attestation Standard

ITGC Domains Managed

Report Types (I & II)

SHA-256

Evidence Integrity

The framework

What is SOC 1?

SOC 1 is an attestation report under SSAE 18 covering controls at a service organization relevant to user entities' internal control over financial reporting (ICFR). If your service touches data that flows into your customers' financial statements — payroll, billing, fund accounting, claims — their auditors will ask for it.

Like SOC 2, it comes in Type I (design at a point in time) and Type II (operating effectiveness over a period). Unlike SOC 2's Trust Services Criteria, SOC 1 control objectives are defined by you around the services you provide — which makes disciplined control definition, testing, and evidence even more important.

The requirements

What you'll need to satisfy.

The core categories SOC 1 auditors evaluate — and what we ship to cover each one.

IT General Controls

Logical access management and reviews
Change management with approvals and segregation
Computer operations: scheduling, backups, incidents
System development and acquisition controls

Business Process Controls

Control objectives defined around your service
Transaction processing accuracy and completeness
Reconciliations and exception handling
Reporting integrity controls

Governance & Evidence

Control ownership and accountability
Periodic control testing with documented results
Evidence retention with integrity protection
Subservice organization (vendor) monitoring

Before → After

The problem we solve.

Why teams pick Compliance Enablers for SOC 1 compliance.

Common challenges

Customers' auditors demand a SOC 1 report before financial-year close, on their timeline
ITGC evidence (access, change, operations) is scattered across teams and tools
Running SOC 1 and SOC 2 as separate projects doubles the control-testing burden
Control descriptions drift from reality between audit cycles

What we provide

IT General Controls module: access, change management, operations, and SDLC control domains in one matrix
Control library with testing procedures, owners, and evidence requirements
Evidence collection with SHA-256 integrity hashes — defensible for financial-statement auditors
Cross-framework mapping: your SOC 2 common criteria work overlaps SOC 1 ITGCs substantially
Audit management for fieldwork coordination: requests, findings, and remediation tracked to closure
SOX/ICFR module for organizations that also face Sarbanes-Oxley alignment

Your journey

From kickoff to
audit-ready.

Step-by-step, exactly how we'll get you there.

Scope & Control Objectives

Define the services in scope and the control objectives your customers' auditors care about.

ITGC Matrix

Stand up access, change, operations, and SDLC control domains in the IT General Controls module.

Map the Overlap

Cross-map existing SOC 2 / ISO 27001 controls so you never test the same control twice.

Evidence & Testing

Collect evidence with integrity hashes; schedule and record control tests with owners and results.

Audit Fieldwork

Run the auditor's request list through Audit Management — requests, evidence, findings, remediation.

Time to value

ITGC matrix stood up in days; audit-ready in weeks

One control-testing program feeding SOC 1, SOC 2, and SOX alignment — instead of three parallel spreadsheets.

SOC 1

Your existing
framework

Cross-framework

Running SOC 2 already? Your common-criteria ITGC work carries directly into SOC 1 — we show you the overlap control by control.

How we're different

Certification-automation tools treat SOC 1 as an afterthought because it isn't a SaaS-marketing badge. If your customers' auditors ask for SOC 1, you need real ITGC and audit management — which is exactly the part of the stack we built deep.

Key modules for SOC 1.

Everything these modules ship, included in every tier.

IT General ControlsControls LibraryEvidence CollectionAudit ManagementSOX / ICFR

SOC 1 FAQ

14-day free trial · no card required

Get SOC 1
audit-ready.

ITGC matrix stood up in days; audit-ready in weeks. 513 pre-generated policies. 50+ evidence collectors. Everything you need to pass SOC 1, out of the box.