top of page


A SOC 1 Report (System and Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting.


The SOC-1 Report is what you would have previously considered to be the standard SAS70 (or SSAE 16), complete with a Type I and Type II reports, but falls under the SSAE 18 guidance (as of May 1, 2017).

Who Needs a SOC 1 Report?

A SOC-1 report provides user entities of the payroll processing company reasonable assurance that the internal controls of the payroll processing company are suitably designed (Type I report) or suitably designed and operating effectively (Type II report).

Who is Required to Have a SOC 1 Report

There are numerous service organizations that may receive SOC-1 reports. The common theme between the service organizations should be the potential impact on user entities internal controls over financial reporting (ICFR). Some examples of organizations who may receive SOC 1 reports include:

  • Payroll processors

  • Medical claims processors

  • Loan servicing companies

  • Data center companies

  • Software-as-a-Service (SAAS) companies that may impact the financials of their user entities.


  • Instant credibility

  • Third party perception

  • Confirmation that controls, procedures, and process are in place as management intends

  • Independent assessment of controls

  • Potential to grow market share

  • Reduction of third party self-assessment questionnaires

  • One audit report can satisfy multiple customers

Project Phases

Phase I – Determination of Objectives

This phase involves determining key business objectives, from user entity, as well as of the service organization.


Phase II – Gap Analysis

This phase involves performing gap analysis of the above listed objectives on one hand, and the applicable SOC 1 controls and risks, on the other. We provide solution for all identified gaps.


Phase III – Control Design and documentation

This phase involves our methodology that involves distribution of risks, and control responsibility to internal stakeholders. This also includes nomination of key roles such as risk officer – who will drive the ongoing compliance.


Phase IV – Tracking

This phase involves tracking the client risks, documentation and self-compliance on a weekly basis till all internal controls are adequately implemented.


Phase V – Performance Tracking

This phase involves measuring internal control changes on a scale of 0-100%. This gives assurance to internal stakeholders that the processes implemented are adequate (or at risk). If there are deviations or risks identified, they are treated.


Phase VI – Internal Audit

Internal audit followed by a formal review of the program gives organization an independent perspective, and enables them to be ready for final attestation.

Overall, companies should request SOC 1 certification from their service providers, including global payroll providers to gain a value-added independent opinion that offers peace of mind for your company. It’s also a way to ensure that they are keeping up with changing regulations and keeping their partners, i.e. your business, best interests and critical data safe and top of mind.

bottom of page