verified_user
Standardful
Homechevron_rightStandardschevron_rightSOC 1 Type II
ActiveInternational Standardupdate Standard Updated: May 2017fact_check Fact checked: Jun 28, 2026

SOC 1 Type II

Service Organization Control 1 — Internal Controls over Financial Reporting (SSAE 18)

apartmentPublishing Organization:American Institute of Certified Public Accountants (AICPA)

Standard Introduction

SOC 1 Type II is an active standard published by American Institute of Certified Public Accountants (AICPA). It is commonly used across Finance & Banking, Technology, Services and applies in United States, Global.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with SOC 1 Type II.

Implementation Roadmap

1
Phase 1schedule Duration: 3-6 weeks

Define service organization controls over financial reporting scope

Identify the products, services, systems, entities, jurisdictions, teams, vendors, and stakeholders covered by SOC 1 Type II. Confirm owners, boundaries, applicable obligations, documentation, and evidence expectations for system description, control objectives, complementary user entity controls, subservice organizations, financial-reporting-relevant processes, access, change management, operations, processing controls, exceptions, and auditor testing.

2
Phase 2schedule Duration: 4-10 weeks

Assess obligations and gaps

Compare current practices with the expected service organization controls over financial reporting approach. Review control objective definition, process narratives, risk assessment, access reviews, change approvals, job processing, reconciliations, incident handling, evidence retention, subservice monitoring, management assertion, and auditor request handling, then prioritize gaps by legal exposure, financial reporting impact, security or privacy impact, customer commitments, operational dependency, and audit readiness.

3
Phase 3schedule Duration: 8-24 weeks

Implement controls and evidence

Deploy required procedures, technical controls, review gates, training, supplier workflows, reporting paths, and operational records. Maintain system descriptions, control matrices, process narratives, management assertions, population lists, access reviews, change tickets, processing logs, reconciliation evidence, exception logs, subservice reports, and auditor PBC responses as traceable evidence.

4
Phase 4schedule Duration: Ongoing

Review, report, and improve

Run management reviews, internal checks, independent assessments where applicable, corrective actions, and change reviews. Refresh the program when products, vendors, laws, incidents, assurance expectations, or stakeholder needs change.

Compliance Checklist

0 / 12

checklist Scope and accountability

checklist Controls and records

checklist Monitoring and assurance

Frequently Asked Questions

Who needs SOC 1 Type II?

expand_more

SOC 1 Type II is most relevant to service organizations whose systems or processes affect user entities' internal control over financial reporting. The exact scope depends on products, services, jurisdictions, customer commitments, assurance requirements, and the organization's role in the relevant ecosystem.

Is SOC 1 Type II certifiable?

expand_more

SOC 1 is an independent CPA attestation report, not a certification. A Type II report covers the design and operating effectiveness of controls over a period.

What should implementation focus on first?

expand_more

Start by defining scope, obligations, accountable owners, and the evidence expected by regulators, auditors, customers, or governance bodies. Then perform a gap assessment against current controls and prioritize remediation by risk and deadline.

What evidence is useful for SOC 1 Type II?

expand_more

Useful evidence includes system descriptions, control matrices, process narratives, management assertions, population lists, access reviews, change tickets, processing logs, reconciliation evidence, exception logs, subservice reports, and auditor PBC responses. Evidence should be version-controlled, attributable to owners, linked to obligations and controls, and retained for the required review or audit period.

How often should the program be reviewed?

expand_more

Review it at planned intervals and whenever laws, products, vendors, incidents, customer commitments, reporting cycles, or assurance expectations change. Higher-risk obligations should have more frequent monitoring and management reporting.

Official Documentation

View All

Related Categories