Build trust with SOC 1 in 2024

Demonstrate your security, reliability and regulatory compliance for working with large, publicly-listed enterprise with SOC 1 reporting.

aicpa-soc-2-badge-header
soc2-explained-video-cover
SOC 2 STANDARD

Is this the year you grow with SOC 2?

There’s no better standard to baseline your information security and earn trust with a broad customer base.

AssuranceLab is a registered CPA and CA firm ready to help you earn trust with SOC 2 in the US and globally.

We provide end-to-end readiness and audit services, with a cloud-native and agile approach that enables you to work at your own pace.

alab-network-countries-and-employees

You’re in great company. We work with hundreds of fast-growing software companies across 13 countries, ranging in size from 2 to 26,000 employees.

alab-network-countries-and-employees-1

You’re in great company. We work with hundreds of fast-growing software companies across 20+ countries, ranging in size from 2 to 26,000+ employees.

SOC 1 STANDARD

Is this the year you

grow with SOC 1?

SOC 1 demonstrates your security, reliability and supports regulatory compliance for large publicly listed customers

AssuranceLab is a registered CPA and CA firm ready to help you earn trust with SOC 1 in the US and globally.

We provide end-to-end readiness and audit services, with a cloud-native and agile approach that enables you to work at your own pace.

alab-soc2-image
Sine-logo
Plexure-logo
salestrekker-logo
Nano-logo
Livepro-logo
Livehire-logo
Inlogik-logo
Humanforce-logo
Data-zoo-logo
Enboarder-logo
Dropsuite-logo
Checkbox-logo
Bravura-solutions-logo
rockt-logo
Civic Ledger Logo_Navy_Official

THE BENEFITS

Clear reasons to act

alab-international-credibility-icon

International
credibility

A globally recognised attestation
report to build trust at scale

alab-customer-confort-and-trust-icon

Customer comfort
and trust

A detailed report addressing crucial
customer due diligence questions

alab-minimal-business-disruption-icon

Minimal business
disruption

Agile and flexible audits that help minimise the disruption while meeting client deadlines

alab-choice-of-goalposts-icon

Choice of
goalposts

Optional control objectives to satisfy various technology and financial objectives.

alab-multi-standard-compliance-icon

Multi-standard
compliance

A strong starting point in meeting
multiple related frameworks,
standards and certifications

alab-recognition-of-partial-progress-icon

Recognition of
partial progress

The ability to achieve a SOC 1 report
with outstanding issues or process improvements

THE PROCESS

Four Steps to SOC 1

left arrow right arrow
SOC 1 Readiness Assessment

SOC 1 Readiness Assessment

We built Pillar so you can assess your compliance with 30+ global standards. It helps you get started with a tailored view of your controls and any gaps to prepare for our compliance audits for one or more frameworks. And, Pillar is always free.

SOC 2 Remediation Support

SOC 1 Remediation Support

We guide you as you address any gaps and implement fit-for-purpose processes that align with your culture and the SOC 1 objectives. Our flexible and responsive team helps you work through it at your own pace.

SOC 1 Type 1 Audit

SOC 1 Type 1 Audit

We conduct the Type 1 audit at your pace to help you minimise disruption and learn through the process. Our iterative reviews and feedback helps you stay on track and achieve real operational benefits for your company.

SOC 2 Audit Type 2

SOC 1 Type 2

We conduct the Type 2 audits either at your pace within a defined timeline to suit your preference, or increasingly with our continuous audit practices that conduct the audits in the background throughout the year to minimise disruption and increased confidence in your compliance.

Get started your way.
We’re ready when you are!

FAQ

Your questions answered

Why are SOC 1 financial reporting objectives relevant to software companies?

The main driver we see for SOC 1 that comes with a financial reporting objective focus, is for publicly listed companies and their associated compliance with Sarbanes Oxley (SOX). That is where publicly listed companies need to prove they have effective internal controls including over critical systems they use. That includes third party software, so your publicly listed customers may ask you for a SOC 1 report covering your software as a service.

What’s the difference between SOC 1 and SOC 2?

The service organisation control, now sometimes referred to as system and organisational control (SOC) standards have been around for decades. Their earlier use was driven by financial reporting objectives, later termed “SOC 1”. That’s where third parties would rely on IT systems or services, and that would impact their financial statement audits or other financial interests like in asset management or superannuation, as examples. 

As reliance on third party services evolved with the software as a service boom, these reports naturally evolved to being used for assurance over those third party services even if there were no direct financial objectives involved. The Trust Services Criteria were then introduced to better align to the modern needs of third parties that were reliant on the security, availability, confidentiality, processing integrity and privacy of third party services. This became “SOC 2” to differentiate from the earlier SOC 1 purpose.

What are Type 1 and Type 2 reports?

A Type 1 report attests to your compliance by design. It’s a snapshot in time that can be achieved by showing you have the right systems and processes in place to satisfy the SOC 1 control objectives. 

A Type 2 report attests to your compliance by both design and operation over a period of time. It covers a period between 3-12 months to show your systems and processes have been operated consistently to satisfy the SOC 1 control objectives. 

Usually, a Type 1 report is issued first to baseline compliance. That marks the start of the live and recurring Type 2 audit periods for reports issued annually. That is the industry standard but the SOC standards have flexibility to choose the report dates and periods as desired (usually driven by customers’ expectations that drives that industry standard approach).

Can you fail SOC 1?

Not as such. SOC 1 reports are not pass/fail. The report can be issued with any number of exceptions and qualifications. Most companies choose to delay their issuance of a SOC 1 report until it is “clean”. If you are in an annual reporting cycle with customer commitments, you may not have that flexibility, so the report may be issued with disclaimers about any identified exceptions and qualifications.

What does SOC 1 cover?

The control objectives in SOC 1 are flexible. They are adapted to specific customer requirements, especially if there are specific financial reporting objectives required to be covered. For a standard SaaS provider scope focused on the technology controls, it includes the following areas as control objectives:

Logical Access
Segregation of Duties
IT Perimeter Security
IT Processing
Change Management
Backups & Recovery
Incident Management
Resilience & Recovery
Vendor Risk Management

Can we reduce the audit work by using a compliance platform?

Yes is the short answer. Unlike ISO 27001, there’s no prescribed audit days, so using automation can help auditors achieve the required level of comfort in your controls in less time. But that relies on an audit firm that’s familiar with the specific platform you’re using and that has an audit approach built for it. It also only works if the controls and scope of the audit are limited to the way the platform works. If you look to have customised controls or diverge from the way the platform works, it can cause additional work for the audit.

OTHER STANDARDS

Earn trust with other leading standards

alab-blended-audits-icon

Blended Audits

Combine two or more compliance frameworks into a single blended audit process without duplication to scale trust, not costs and effort.

alab-hipaa-icon

HIPAA

The de facto global and best practice standard for proving secure handling of electronic protected health information (ePHI).

alab-custom-framework-icon

Custom Frameworks

Manage any compliance obligations from customers, regulators or your own internal risk requirements with custom frameworks.

alab-iso-27001-icon

ISO 27001

An international framework to apply a structured and best practice methodology for managing information security.

alab-csa-star-icon

CSA STAR

A comprehensive, best practice standard for cloud security to achieve Level Two accreditation in the security, trust and risk (STAR) register.

alab-cdr-icon

Consumer Data Right

Access consumer data in Australia’s economy-wide open data regime with Consumer Data Right accreditation.

alab-esg-icon

ESG Reporting

A flexible and lightweight framework to report up to 500+ positive impact activities supporting environmental, social and governance (ESG) objectives.

alab-gdpr-icon

GDPR

The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.

alab-soc1-sox-itgc-icon

SOC 2

Trust services criteria to satisfy a broad customer base globally for security, availability, confidentiality, privacy and processing integrity.

alab-gdpr-icon

GDPR

The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.

GET IN CONTACT

Get started your way

We’re ready when you are

Can’t wait?

Our free products help you get started without any fuss:

pillar-tab-button-normal

The always-free GRC platform that powers trust for hundreds of technology companies.

policytree-tab-button-normal (1)

Our 40-minute policy generator; a better alternative to cookie-cutter templates.