What is a SOC 1 report?
Governed by: SSAE 18, AT-C Section 320 (AICPA). Comparable to ISAE 3402 (IAASB).
SSAE 18 covers the same subject matter as ISAE 3402: controls at a service organization that are relevant to user entities' financial reporting. A SOC 1 Type 2 report and an ISAE 3402 Type II report test the same things — design and operating effectiveness of controls over a period. The difference is jurisdiction. SSAE 18 is the AICPA standard used in the United States. ISAE 3402 is the IAASB standard used in Europe and internationally.
Most large service organizations that operate across jurisdictions issue dual-standard reports referencing both SSAE 18 and ISAE 3402. This avoids the need for separate engagements and gives user auditors in both the US and Europe a report they can rely on under their respective frameworks.
ISA 402 does not restrict the user auditor to ISAE 3402 specifically. It requires "sufficient appropriate audit evidence." But some regulators — notably the AFM in the Netherlands — have expressed a preference for ISAE 3402 reports. User auditors should check their regulator's position before relying on an SSAE 18-only report.
Key Takeaways
- SOC 1 is the AICPA's equivalent of ISAE 3402, covering controls relevant to user entities' financial reporting.
- European user auditors can often rely on a SOC 1 report, but some regulators require ISAE 3402 specifically.
- SOC 1 reports come in Type 1 (design) and Type 2 (design plus effectiveness).
- SOC 1 is distinct from SOC 2, which covers operational controls not tied to financial reporting.
Worked example: Logística Digital S.L.
Client: Spanish logistics software company, Barcelona, warehouse management platform for 45 retail clients.
Logística Digital's US-listed parent company requires a SOC 1 Type 2 report under SSAE 18. Given the European client base, the service auditor recommends a dual-standard report referencing both SSAE 18 and ISAE 3402. The report covers January to December 2024.
Five control objective areas are in scope: order processing, warehouse data integrity, billing calculation, user access management, and change management. The service auditor tests 28 controls across these areas.
One exception is identified: the quarterly access review in Q2 was completed 8 days late. The service auditor describes this in the report. The quarterly reviews for Q1, Q3, and Q4 were completed on time, and no unauthorized access was identified during the delayed Q2 review.
A European user auditor relies on the dual-standard report under ISA 402 without regulatory friction. The ISAE 3402 reference means the report satisfies both the US parent's requirements and European regulatory expectations in a single engagement.
What reviewers get wrong
- Assuming SOC 1 equals ISAE 3402 for regulatory purposes: European user auditors sometimes accept an SSAE 18-only SOC 1 report as identical to ISAE 3402. While the substance is similar, some EU regulators distinguish between the two standards. A dual-standard report eliminates this risk.
- Confusing SOC 1 with SOC 2: Teams sometimes request or accept a SOC 2 report when they need evidence about controls over financial reporting. SOC 1 covers financial reporting controls. SOC 2 covers security, availability, processing integrity, confidentiality, and privacy. They are not interchangeable for ISA 402 purposes.
SOC 1 vs ISAE 3402
| Dimension | SOC 1 (SSAE 18) | ISAE 3402 |
|---|---|---|
| Standard setter | AICPA | IAASB |
| Primary jurisdiction | US | European / international |
| Report types | Type 1 and Type 2 | Type I and Type II |
| Underlying framework | AT-C Section 320 | ISAE 3000 (Revised) |
| Dual reporting | Can combine with ISAE 3402 | Can combine with SSAE 18 |
Key standard references
- SSAE 18, AT-C Section 320: The AICPA standard governing SOC 1 engagements.
- ISAE 3402: The IAASB equivalent, covering assurance reports on controls at a service organization.
- ISA 402: Governs the user auditor's consideration of service organizations, requires "sufficient appropriate audit evidence."
Related terms
Related reading
Frequently asked questions
Can a European auditor rely on a SOC 1 report?
Generally yes. ISA 402 requires "sufficient appropriate audit evidence" and does not mandate ISAE 3402 specifically. However, some European regulators prefer or require ISAE 3402, so check your regulator's position.
What is the difference between SOC 1 and SOC 2?
SOC 1 covers controls relevant to financial reporting (same scope as ISAE 3402). SOC 2 covers operational controls related to security, availability, processing integrity, confidentiality, and privacy. They serve different purposes and are not interchangeable.