Build trust with SOC 1 in 2024

Demonstrate your security, reliability and regulatory compliance for working
with large, publicly-listed enterprises with SOC 1 reporting.


Is this the year you grow with SOC 2?

There’s no better standard to baseline your information security and earn trust with a broad customer base.

AssuranceLab is a registered CPA and CA firm ready to help you earn trust with SOC 2 in the US and globally.

We provide end-to-end readiness and audit services, with a cloud-native and agile approach that enables you to work at your own pace.


You’re in great company. We work with hundreds of fast-growing software companies across 13 countries, ranging in size from 2 to 26,000 employees.


We work with more than 500 fast-growing companies across 20+ countries, ranging in size from 2 to 26,000+ employees.


Is this the year you

grow with SOC 1?

SOC 1 reporting demonstrates your security, and reliability and supports regulatory compliance for large publicly listed customers. 

SOC 1 reports are designed to evaluate the internal controls of a service organisation that are relevant to the financial statements of its customers.

As a registered CPA and CA firm, we provide complete audit services, with a cloud-native and tech-enabled approach. This means you work at a pace that suits you rather than navigating the traditional complex audit model.

Ready to get started with SOC 1?



Four steps to SOC 1

left arrow right arrow
SOC 1 Readiness Assessment

SOC 1 Readiness Assessment

Integrating with many compliance platforms, we provide a tailored view of your controls and any gaps to help you prepare for your audit.

SOC 2 Remediation Support

SOC 1 Remediation Support

We guide you as you address gaps and implement fit-for-purpose processes that align with your culture and the SOC 1 objectives. Our flexible and responsive team helps you work through it at your own pace.

SOC 1 Type 1 Audit

SOC 1 Type 1 Audit

We conduct the Type 1 audit at your pace to help you minimise disruption and learn through the process. Our iterative reviews and feedback help you stay on track and achieve operational benefits.

SOC 2 Audit Type 2

SOC 1 Type 2

We conduct the Type 2 audits either at your own pace within a defined timeline or incrementally throughout the year to minimise disruption and increase confidence in your compliance. 

Ready to get started on your compliance journey?


Clear reasons to act


International credibility

A globally recognised attestation
report to build trust at scale


Customer comfort and trust

A detailed report addressing crucial
customer due diligence questions


Minimal business disruption

Agile and flexible audits that help minimise the disruption while meeting client deadlines


Choice of goalposts

Optional control objectives to satisfy various technology and financial objectives


Multi-standard compliance

A strong starting point in meeting multiple related frameworks, standards and certifications


Recognition of partial progress

The ability to achieve a SOC 1 report
with known process improvements


Your questions answered

What is SOC 1?

SOC 1 is a reporting framework developed by the American Institute of Certified Public Accountants (AICPA). SOC 1 reports, also known as the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) report, is designed to evaluate the internal controls of a service organisation that are relevant to the financial statements of its customers.

The SOC 1 report provides information about the design and effectiveness of the controls implemented by the service organisation to ensure the reliability of the financial information processed on behalf of its clients. It focuses on controls that are likely to be relevant to the financial reporting of the user entities.

The SOC 1 report helps user entities gain assurance about the service organisation's controls and their impact on the user entities' financial statements. It provides valuable information for auditors and stakeholders who rely on outsourced services to support their financial reporting processes.

Why are SOC 1 financial reporting objectives relevant to software companies?

The main driver we see for SOC 1 which comes with a financial reporting objective focus, is for publicly listed companies and their associated compliance with Sarbanes Oxley (SOX). That is where publicly listed companies need to prove they have effective internal controls including over the critical systems they use. That includes third-party software, so your publicly listed customers may ask you for a SOC 1 report covering your software as a service.

SOC 1 vs SOC 2: what’s the difference?

The service organisation control, sometimes referred to as system and organisational control (SOC) standards has been around for decades. Their earlier use was driven by financial reporting objectives, later termed “SOC 1”. That’s where third parties would rely on IT systems or services, and that would impact their financial statement audits or other financial interests like in asset management or superannuation. 

As reliance on third-party services evolved with the rise in software as a service companies, these reports naturally evolved to being used for assurance over those third-party services even when no direct financial objectives were involved. The Trust Services Criteria were then introduced to better align with the modern needs of third parties that were reliant on security, availability, confidentiality, processing integrity and privacy. This became “SOC 2” to differentiate from the earlier SOC 1 purpose.

Type 1 and Type 2 report: what’s the difference?

A Type 1 report attests to your compliance by design. It’s a snapshot in time that can be achieved by showing you have the right systems and processes in place to satisfy the SOC 1 control objectives. 

A Type 2 report attests to your compliance by both design and operation over a set period of time, usually between 3-12 months, to show your systems and processes have been operating consistently to satisfy the SOC 1 control objectives. 

Usually, a Type 1 report is issued first as baseline compliance. That marks the start of the live and recurring Type 2 audit period for reports issued annually. That is the industry standard but the SOC standards have the flexibility to choose the report dates and periods as desired (usually driven by customers’ expectations that drive the industry-standard approach).

Can you fail SOC 1?

Not as such. SOC 1 reports are not pass/fail. The SOC report can be issued with any number of exceptions and qualifications. Most companies choose to delay their SOC 1 report until it is “clean”. If you are in an annual reporting cycle with customer commitments, you may not have that flexibility, so the report may be issued with disclaimers about any identified exceptions and qualifications.

What does SOC 1 cover?

The control objectives in SOC 1 are adaptable to the specific customer requirements, especially if specific financial reporting objectives are required to be covered. A standard SaaS provider’s scope focuses on technology controls and may include the following areas as control objectives:

  • Logical Access
  • Segregation of Duties
  • IT Perimeter Security
  • IT Processing
  • Change Management
  • Backups & Recovery
  • Incident Management
  • Resilience & Recovery
  • Vendor Risk Management

Can we reduce the audit work by using a compliance platform?

Yes is the short answer. Unlike ISO 27001, there are no prescribed audit days, so using automation can help auditors achieve the required level of comfort for their controls. But that relies on an audit firm that’s familiar with the specific platform you’re using. It also only works if the controls and scope of the audit are adaptable to the platform. If you look to have customised controls or diverge from the way the platform works, it can cause additional work. We integrate with many compliance automation platforms to ensure a streamlined approach to your audit. 


Earn trust with other leading standards


Blended Audits

Combine two or more compliance frameworks into a single blended audit process without duplication to scale trust, not costs and effort.



The de facto global and best practice standard for proving secure handling of electronic protected health information (ePHI).


Custom Frameworks

Manage any compliance obligations from customers, regulators or your own internal risk requirements with custom frameworks.


ISO 27001

An international framework to apply a structured and best practice methodology for managing information security.



A comprehensive, best practice standard for cloud security to achieve Level Two accreditation in the security, trust and risk (STAR) register.


Consumer Data Right

Access consumer data in Australia’s economy-wide open data regime with Consumer Data Right accreditation.


ESG Reporting

A flexible and lightweight framework to report up to 500+ positive impact activities supporting environmental, social and governance (ESG) objectives.



The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.



Trust services criteria to satisfy a broad customer base globally for security, availability, confidentiality, privacy and processing integrity.



The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.

Get started your way

We’re ready when you are