SOC 1 & SOC 2

SOC 1 vs SOC 2 for B2B Software Vendors: Which Report Do You Actually Need?

A CPA firm's plain-English guide to SOC 1 versus SOC 2 — what each report tests, which one your customers' auditors or security teams will ask for, and when you need both.

The short answer

SOC 1 reports on the controls at your company that could affect your customers’ financial statements — think payroll, billing, or payment processing — and is what their financial auditors rely on. SOC 2 reports on your data-protection controls against the AICPA Trust Services Criteria and is what enterprise security and procurement teams ask for. Default rule for B2B SaaS: you need SOC 2 unless your software touches your customers’ books, in which case you need SOC 1 as well.

Key takeaways

  • SOC 1 = financial-reporting controls; SOC 2 = data-protection controls. SOC 1 is examined under AT-C section 320; SOC 2 under AT-C sections 105 and 205. Both are SSAE No. 18 attestation engagements (as amended by SSAE No. 21 for reports dated on/after June 15, 2022).
  • SOC 1 uses management-defined control objectives; SOC 2 uses fixed Trust Services Criteria. You can design SOC 1 objectives around your business; you cannot change the SOC 2 criteria — Security (the Common Criteria) is mandatory, the other four categories are optional.
  • Most B2B SaaS vendors need SOC 2; SOC 1 is the exception. You need SOC 1 only when your service affects a customer’s internal control over financial reporting (ICFR), which flows into their SOX 404 attestation.
  • Payment gateways, payroll, and fintech platforms frequently need both. Both reports are restricted-use and both come in Type I (design) and Type II (design plus operating effectiveness over a period, commonly 6–12 months).

SOC 1 vs SOC 2 at a glance

SOC 1 and SOC 2 are both “SOC for Service Organizations” reports issued only by licensed CPA firms, and they share the same underlying attestation machinery. What differs is what they measure and who reads them. The table below is the fast comparison; the sections after it explain each report and give you a decision framework.

SOC 1 vs SOC 2 — side-by-side comparison
DimensionSOC 1SOC 2
Attestation standardAT-C 105 + 205 plus AT-C 320 (SSAE 18, as amended by SSAE 21)AT-C 105 + 205 (SSAE 18, as amended by SSAE 21)
Primary focusInternal control over financial reporting (ICFR)Security & data protection
What is evaluatedManagement-defined control objectivesAICPA Trust Services Criteria (fixed)
Who requests itCustomer’s financial auditors / CFO / controllerCustomer’s security, procurement & CISO teams
Typical vendor fitPayroll, payments, billing, expense, claims SaaSGeneral B2B SaaS & cloud hosting
Report distributionRestricted useRestricted use
Type I / Type II availableYesYes
Regulatory driverSOX 404 / ICFR assurance chainEnterprise procurement & privacy laws
Related general-use reportSOC 3 (publishable)

What is SOC 1?

A SOC 1 audit is an examination, by an independent CPA firm, of the controls at a service organization that are relevant to its user entities’ internal control over financial reporting (ICFR). It is performed under SSAE No. 18, AT-C section 320 — Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting. In plain terms: if the software you run for a customer could change a number that ends up in that customer’s financial statements, SOC 1 is how their auditor gets comfort that your controls work.

The defining feature of SOC 1 is that you define the control objectives. Management describes the system and states control objectives such as “controls provide reasonable assurance that payroll transactions are processed completely and accurately.” The auditor then tests the controls you designed to meet those objectives. Because the objectives are management-defined, two vendors can meet the same objective with completely different control designs — there is no fixed checklist. This flexibility is the single biggest conceptual difference from SOC 2, which tests against a fixed rubric.

SOC 1 exists because of the Sarbanes-Oxley Act (SOX) Section 404 assurance chain. A public-company customer must attest to the effectiveness of its ICFR. When it outsources a financially significant process to you, it cannot audit inside your systems — so its auditor relies on your SOC 1 report (typically a Type II) as evidence that the outsourced controls operated effectively. The report is built on the COSO Internal Control — Integrated Framework (2013), the same framework the customer uses for its own ICFR.

When a software vendor triggers a SOC 1 request

You will usually learn you need SOC 1 the moment a customer’s controller or external auditor asks for one during procurement or year-end audit. The trigger is always the same: your platform performs a function that flows into the customer’s books. Concrete examples include:

  • Payroll processing — wages, tax withholding, and disbursements feed payroll expense and liabilities.
  • Payments, billing, and collections (AR) — transaction capture, invoicing, and cash application affect revenue and receivables.
  • Expense management and reimbursements — approvals and disbursements hit expense accounts.
  • Benefits administration — contributions and deductions feed payroll and benefits liabilities.
  • Claims adjudication — claims determinations drive insurance-related expense and reserves.

If none of your functions touch a customer’s financial reporting, you almost certainly do not need SOC 1 — SOC 2 is the report to focus on.

What is SOC 2?

A SOC 2 audit is an examination of your controls against the AICPA Trust Services Criteria (TSC) — the 2017 criteria, revised with updated points of focus in 2022 (published as TSP section 100). It is performed under SSAE No. 18, AT-C sections 105 (Concepts Common to All Attestation Engagements) and 205 (Assertion-Based Examination Engagements). Unlike SOC 1, the criteria are fixed: you cannot invent your own, and the auditor evaluates your controls against the predefined TSC.

The TSC are organized into five categories. The Security category — the Common Criteria (CC1–CC9) — is mandatory in every SOC 2 report. The other four are optional and you elect them based on customer demand and what your service promises: Availability, Processing Integrity, Confidentiality, and Privacy. Choosing which categories to include is a core scoping decision; you can review the specific controls mapped to each Trust Services Criterion before committing.

Why SOC 2 is the default for most B2B SaaS

In enterprise procurement, the team blocking your deal is almost always security, not finance. Security questionnaires, vendor-risk reviews, and CISO sign-off center on how you protect data — access control, change management, encryption, monitoring, incident response — which is exactly what SOC 2 evidences. For most SaaS vendors that store customer data but never touch a customer’s books, SOC 2 (usually a Type II report) is the one report that unblocks revenue. SOC 2 also anchors privacy-law diligence: buyers subject to HIPAA or GDPR use it as the baseline before layering framework-specific requirements on top. As a practical matter, SOC 1 is the exception among software vendors and SOC 2 is the default.

The core distinction: financial-reporting controls vs data-protection controls

Strip away the acronyms and the difference is one question: does your software affect a customer’s money or a customer’s data? SOC 1 answers “can the customer’s auditor trust the numbers your system produces?” SOC 2 answers “can the customer’s security team trust how you protect the data they give you?”

The second, subtler distinction is flexible objectives vs fixed criteria. In SOC 1, control objectives are management-defined, so multiple control designs can satisfy the same objective. A classic illustration: an objective of “physical access to the data center is restricted to authorized personnel” can be met with keycard badges, biometric scanners, a security guard, or a mantrap — any design that achieves the objective is acceptable, and the auditor tests what you chose. In SOC 2, by contrast, you are measured against the fixed Trust Services Criteria; you cannot rewrite CC6.1, you can only demonstrate that your controls satisfy it. That flexible-vs-fixed contrast is why a SOC 1 report is highly tailored to a business process, while SOC 2 reports across vendors look structurally similar.

How to decide which report you need

Work from what your software actually does for the customer, not from your industry label. “Fintech” does not automatically mean SOC 1, and “financial software” does not either — a budgeting app that never posts to a customer’s ledger is a SOC 2 story. Use the matrix below to place yourself.

Decision matrix — which SOC report by what your software does
If your software…You likely needWhy
Processes payroll or wagesSOC 1 (usually + SOC 2)Feeds payroll expense/liabilities; the customer’s auditor relies on it for ICFR.
Handles payments, billing, or ARSOC 1 (usually + SOC 2)Affects revenue and receivables in the customer’s statements.
Manages expense reports / reimbursementsSOC 1Approvals and disbursements post to expense accounts.
Adjudicates insurance claimsSOC 1Claims determinations drive expense and reserves.
Is a payment gateway or fintech platformFrequently BOTHSOC 1 for transaction accuracy; SOC 2 for the data it stores and secures.
Stores customer PII or business data (general SaaS)SOC 2Security and procurement teams want data-protection assurance.
Hosts customer workloads (IaaS / PaaS)SOC 2Infrastructure security and availability, not the customer’s books.
Sells to public companies subject to SOXSOC 1 if it touches ICFRThe customer’s SOX 404 attestation depends on your controls.
Sells to healthcare (PHI)SOC 2 + add HIPAAData protection plus HIPAA Security/Privacy Rule obligations.
Sells into the EU (personal data)SOC 2 + GDPRSOC 2 baseline plus GDPR processor obligations.

A plain-language decision tree: (1) Does your software change numbers that land in a customer’s financial statements? If yes → you need SOC 1. (2) Do you store or process customer data that enterprise security teams will scrutinize? If yes → you need SOC 2. (3) If both are yes → you need both. For a stage-by-stage view of when to start, see our compliance roadmap by funding stage.

When you need both SOC 1 and SOC 2

The canonical “both” case is a platform that simultaneously touches a customer’s financial reporting and stores sensitive data: payroll, billing, fintech, and payment gateways are the usual examples. Here the customer’s finance function needs SOC 1 for its year-end audit, while the customer’s security function needs SOC 2 for its vendor-risk review. One report will not satisfy the other stakeholder.

Running both efficiently

The good news is that the two examinations overlap heavily in the control environment — access management, change management, and IT general controls support both reports. The efficient pattern is to map shared controls once, maintain a single evidence repository, and run one governance cadence, then let the SOC 1 objectives and the SOC 2 criteria draw from the same evidence. Scope decisions matter here: read our guide on scoping your systems, and for the full playbook on sequencing and combining the two examinations, see when you need both SOC 1 and SOC 2.

Type I vs Type II (applies to both SOC 1 and SOC 2)

Both SOC 1 and SOC 2 come in two flavors, and the distinction is identical for each. A Type I report evaluates whether controls are suitably designed as of a single point in time. A Type II report evaluates both design and operating effectiveness across a period — commonly 6 to 12 months — by testing evidence sampled throughout the window.

Type I vs Type II — applies to SOC 1 and SOC 2 alike
AttributeType IType II
ScopeDesign of controlsDesign and operating effectiveness
Time coverageA single point in time (“as of” date)A period, commonly 6–12 months
Assurance strengthLower — proves design onlyHigher — proves controls actually operated
Typical useFirst report / speed to unblock a dealRenewals / enterprise requirement
Effort & costLowerHigher — period testing, more evidence

Enterprise buyers almost always require Type II because it demonstrates that controls worked over time rather than on one day; a Type I is typically accepted only as an interim signal. If you are weighing which to obtain first, our dedicated guide to SOC 2 Type I vs Type II walks through the sequencing decision in depth.

What SOC 1 and SOC 2 have in common

Beyond both being SSAE No. 18 attestation examinations issued only by licensed CPA firms, SOC 1 and SOC 2 share several structural features:

  • Restricted-use distribution. Both reports are restricted use — intended only for the service organization, its user entities (for user entities that used the system during the period covered), and those user entities’ auditors. Neither can be posted publicly.
  • Management’s description and assertion. Both include management’s written description of the system and a management assertion that the description is fairly presented and controls are suitably designed (and, for Type II, operated effectively).
  • Subservice organizations. When you rely on a subservice organization (e.g., a cloud provider), you choose the carve-out method (exclude its controls from your description and rely on Complementary Subservice Organization Controls, CSOCs) or the inclusive method (incorporate them). This choice materially affects scope in both SOC 1 and SOC 2.
  • Complementary User Entity Controls (CUECs). Both reports typically list controls the customer must operate for the overall system to work — for example, managing their own user access.
  • Bridge letters. To cover the gap between a report’s period-end and a buyer’s review date, either report may be accompanied by a management-signed bridge letter (gap letter). It is a management representation, not auditor-tested assurance, so practice limits it to roughly 90 days and it cannot replace a fresh report.

Where SOC 3 fits

SOC 3 is the general-use counterpart to SOC 2: it covers the same Trust Services Criteria but omits the detailed description of the system and the auditor’s test results, leaving a short, marketing-friendly report you can publish on your website or hand to any prospect. There is no SOC 3 equivalent of SOC 1. If you want a freely distributable trust signal to supplement your restricted-use SOC 2, a SOC 3 report is the vehicle — but it does not replace the SOC 2 that security teams will still request.

Cost and timeline comparison

Report type is only one input to price and schedule; scope is the real driver — the number of Trust Services Criteria beyond Security, the count of in-scope systems, headcount, and evidence maturity. For SOC 2, a Type I is faster and cheaper than a Type II because it examines a point in time rather than a period. SOC 1 timelines are comparable at equivalent scope, but exact figures depend on the number and complexity of your control objectives, so we quote them after a scoping call rather than publish a generic range.

Cost & timeline by report (illustrative; final scope drives the quote)
ReportTypical timelineRelative costBest-fit stage
SOC 2 Type I~4–8 weeks once controls are in placeLowerFirst report / deal on the line
SOC 2 Type II6–12 month observation window + ~4–6 weeks fieldworkHigherRenewals / enterprise requirement
SOC 1 Type IComparable to SOC 2 Type I at equal scope (quoted after scoping)Scope-dependentProving design of financial-reporting controls
SOC 1 Type IIPeriod + fieldwork, comparable to SOC 2 Type II (quoted after scoping)Scope-dependentCustomer’s year-end / SOX reliance

Be wary of published dollar ranges: they vary enormously by scope and are not a substitute for a quote. Auditsuisse provides a single fixed fee after a short scoping call so there are no mid-engagement surprises.

Adjacent frameworks: HIPAA, GDPR, and SOC 2+

For most vendors, SOC 2 is the platform other requirements attach to. If you handle protected health information, layer a HIPAA engagement on top of SOC 2 to address the HIPAA Security and Privacy Rules that a healthcare buyer’s diligence will demand. If you process the personal data of people in the EU, add GDPR processor obligations — and note that the EU–US Data Privacy Framework remains contested and not fully settled, so Standard Contractual Clauses (SCCs) stay the safe fallback for transfers.

Two additional report types are worth knowing. A SOC 2+ examination maps your SOC 2 controls to an additional framework (HIPAA, HITRUST, ISO 27001, or NIST) in a single report, reducing duplicated testing. SOC for Cybersecurity is a separate, general-use report on an organization’s enterprise-wide cybersecurity risk-management program, aimed at boards and investors rather than procurement. Neither replaces SOC 1 or SOC 2, but both can bundle frameworks efficiently once your core program is running.

Common mistakes vendors make choosing between SOC 1 and SOC 2

Assuming “financial software” means SOC 1. The trigger is whether your system affects a customer’s financial statements, not whether it deals with money. Analytics, budgeting, and read-only reporting tools that never post to a ledger are SOC 2 stories.

Scoping the wrong Trust Services Criteria. Teams reflexively add Availability, Confidentiality, and Privacy without demand, inflating cost and evidence burden. Start from Security (mandatory) and add categories only where a customer commitment or contract requires them.

Buying SOC 2 when the customer’s auditor actually needs SOC 1. A procurement request for “your SOC report” sometimes originates with the customer’s finance team for ICFR reliance. Handing over a SOC 2 will not satisfy a financial-statement auditor who needs SOC 1 — confirm which stakeholder is asking before you scope.

Getting a Type I when the buyer’s contract says Type II. A Type I unblocks short-term, but if the contract specifies Type II you will still need the period-based report; plan the observation window early.

Importing generic firm stats into your timeline. A Type II observation window runs months, not days; do not promise a two-week turnaround for a report that by design tests controls over a 6–12 month period.

Frequently asked questions

What is the difference between SOC 1 and SOC 2?

SOC 1 (performed under AT-C section 320) reports on controls that affect a customer’s internal control over financial reporting, such as payroll or payment processing. SOC 2 (performed under AT-C sections 105 and 205) reports on data-protection controls against the AICPA Trust Services Criteria — security, availability, processing integrity, confidentiality, and privacy. Both are issued only by licensed CPA firms.

Does my B2B software company need SOC 1 or SOC 2?

Most B2B SaaS vendors need SOC 2, because enterprise procurement and security teams want assurance over data protection. You need SOC 1 only if your software affects your customers’ financial statements — for example payroll, billing, payments, expense, or claims processing — where the customer’s auditor relies on your controls for SOX 404.

Can a company have both SOC 1 and SOC 2?

Yes. Vendors whose platform both touches customers’ financial reporting and stores sensitive data — such as payroll, fintech, payment-gateway, or billing SaaS — often obtain both. SOC 1 satisfies the customer’s financial auditors; SOC 2 satisfies security and procurement reviews. Shared controls and a single evidence repository let you run both efficiently.

Is SOC 1 or SOC 2 better?

Neither is better — they answer different questions. SOC 1 addresses financial-reporting risk (ICFR) for a customer’s auditors; SOC 2 addresses information-security and data-protection risk for a customer’s security team. The right report depends on whether your software affects a customer’s books or their data.

What standards are SOC 1 and SOC 2 based on?

Both are AICPA attestation examinations under SSAE No. 18, as amended by SSAE No. 21 for reports dated on or after June 15, 2022. SOC 1 follows AT-C section 320 (on top of AT-C 105 and 205) and tests management-defined control objectives tied to financial reporting. SOC 2 follows AT-C sections 105 and 205 and tests the fixed Trust Services Criteria, with Security (the Common Criteria) mandatory and four other categories optional.

Is a SOC report Type I or Type II — and does it apply to both SOC 1 and SOC 2?

Both SOC 1 and SOC 2 come in two types. Type I evaluates whether controls are suitably designed at a single point in time. Type II evaluates design plus operating effectiveness over a period, commonly 6 to 12 months. Enterprise buyers almost always require Type II for the stronger, period-based assurance.

Can you have SOC 1 without SOC 2?

Yes. A vendor whose only compliance driver is a customer’s financial auditor — for example a payroll or fund-administration platform selling mainly to private companies — may obtain SOC 1 alone. In practice, once that vendor starts enterprise security reviews it is usually asked for SOC 2 as well, so many end up with both.

Is SOC 2 a certification or a report?

SOC 2 is an attestation report and an auditor’s opinion, not a certification or a pass/fail badge. A licensed CPA firm examines your controls against the Trust Services Criteria and issues an opinion. The same is true of SOC 1. There is no SOC 1 or SOC 2 certificate — only a report you share under restricted use.

Sources & further reading

  1. AICPA & CIMA — SOC 1® — SOC for Service Organizations: ICFR (AT-C section 320).
  2. AICPA & CIMA — 2017 Trust Services Criteria (with Revised Points of Focus — 2022), TSP section 100.
  3. AICPA — Statement on Standards for Attestation Engagements No. 18 (SSAE 18), as amended by SSAE No. 21 (effective for reports dated on or after June 15, 2022); SOC 2 under AT-C section 205, SOC 1 under AT-C section 320.
  4. U.S. Securities and Exchange Commission — Sarbanes-Oxley Act Section 404: Management’s Report on Internal Control Over Financial Reporting.
Sébastien Ruosch Reviewed by Sébastien Ruosch, CPA (US & Swiss licensed), Director of Audits at Auditsuisse. Last reviewed July 1, 2026.

Get the right report the first time

Auditsuisse is a US & Swiss licensed CPA firm that issues both reports. We’ll confirm whether your buyers need SOC 1, SOC 2, or both, scope it correctly, and quote a fixed fee — explore our SOC 1 audit services or book a scoping call.

Request Consultation
Back to top ↑