What is a SOC 1 report?
A European user auditor requests a service organization's controls report and receives something titled "SOC 1" instead of the expected ISAE 3402. The report looks similar and the control objectives are familiar, but the standard reference on the cover page is different. The question that follows is always the same: can I actually rely on this?
A SOC 1 report is an assurance report on controls at a service organization that are relevant to user entities' financial reporting. It's governed by SSAE 18, AT-C Section 320 (the AICPA standard used in the United States), and it covers the same subject matter as ISAE 3402 (the IAASB standard used across Europe and internationally).
A SOC 1 Type 2 report and an ISAE 3402 Type II report test the same things: design and operating effectiveness of controls over a period. The difference is jurisdiction, not substance. Most large service organizations that operate across borders issue dual-standard reports referencing both SSAE 18 and ISAE 3402, which avoids separate engagements and gives user auditors on both sides of the Atlantic a report they can rely on under their own framework.
ISA 402 doesn't restrict the user auditor to ISAE 3402 specifically. It requires "sufficient appropriate audit evidence." Some regulators, however (the AFM in the Netherlands being the most vocal), have expressed a preference for ISAE 3402 reports. User auditors should check their regulator's position before relying on an SSAE 18-only report. That five-minute check can save weeks of back-and-forth during an inspection.
Key Takeaways
- SOC 1 is the AICPA's equivalent of ISAE 3402, covering controls relevant to user entities' financial reporting.
- European user auditors can often rely on a SOC 1 report, but some regulators (especially the AFM) require ISAE 3402 specifically.
- SOC 1 reports come in Type 1 (design only) and Type 2 (design plus operating effectiveness over a period).
- SOC 1 is distinct from SOC 2, which covers operational IT controls not tied to financial reporting.
Worked example: Logística Digital S.L.
Logística Digital S.L. is a Spanish logistics software company based in Barcelona, operating a warehouse management platform for 45 retail clients. Its US-listed parent company requires a SOC 1 Type 2 report under SSAE 18. Given the European client base, the service auditor recommends a dual-standard report referencing both SSAE 18 and ISAE 3402 to cover both jurisdictions in one engagement. The report covers January to December 2024.
Four control objective areas are in scope: order processing, warehouse data integrity, billing calculation, and user access management. The service auditor tests 28 controls across these areas. This is where the ticking and bashing begins (systematically tracing each control to its supporting evidence), and the real work of the engagement sits in Section III.
One exception surfaces: the quarterly access review in Q2 was completed 8 days late. The service auditor describes this in the report. The reviews for the other three quarters were completed on time, and no unauthorized access was identified during the delayed Q2 review.
A European user auditor relies on the dual-standard report under ISA 402 without regulatory friction. The ISAE 3402 reference satisfies both the US parent's requirements and European regulatory expectations in a single engagement.
What reviewers get wrong
European user auditors sometimes accept an SSAE 18-only SOC 1 report as identical to ISAE 3402 for regulatory purposes. The substance is similar, but some EU regulators distinguish between the two standards. When the AFM or another regulator asks "which standard was this report issued under?" the answer matters. A dual-standard report eliminates this risk entirely.
The other common mistake is confusing SOC 1 with SOC 2. Teams sometimes request or accept a SOC 2 report when they need evidence about controls over financial reporting. SOC 1 covers financial reporting controls. SOC 2 covers operational IT controls (security, availability, confidentiality, and privacy). They aren't interchangeable for ISA 402 purposes, and grabbing the wrong one means starting over. TGIF (thank God it's Friday) takes on a different meaning when you discover the mismatch at 4pm on a Friday before the review deadline.
SOC 1 vs ISAE 3402
| Dimension | SOC 1 (SSAE 18) | ISAE 3402 |
|---|---|---|
| Standard setter | AICPA | IAASB |
| Primary jurisdiction | US | European / international |
| Report types | Type 1 and Type 2 | Type I and Type II |
| Underlying framework | AT-C Section 320 | ISAE 3000 (Revised) |
| Dual reporting | Can combine with ISAE 3402 | Can combine with SSAE 18 |
Key standard references
SSAE 18, AT-C Section 320 is the AICPA standard governing SOC 1 engagements. Its international equivalent is ISAE 3402, issued by the IAASB, which covers assurance reports on controls at a service organization. On the user auditor's side, ISA 402 governs how the auditor considers a service organization and requires "sufficient appropriate audit evidence." ISA 315 (Revised 2019) also comes into play when the user auditor identifies IT general controls at the service organization that are relevant to the risk assessment.
Related terms
Related reading
Frequently asked questions
Can a European auditor rely on a SOC 1 report?
Generally yes. ISA 402 requires "sufficient appropriate audit evidence" and does not mandate ISAE 3402 specifically. However, some European regulators prefer or require ISAE 3402, so check your regulator's position.
What is the difference between SOC 1 and SOC 2?
SOC 1 covers controls relevant to financial reporting (same scope as ISAE 3402). SOC 2 covers operational controls related to security, availability, processing integrity, confidentiality, and privacy. They serve different purposes and are not interchangeable.