SOC 1 without rebuilding SOC 2

Demonstrate effective ICFR for your customers

SOC 1 reports for service providers whose customers depend on you for financial reporting. Pre-mapped to SOC 2 for shared scope, with carve-out and user entity control workflows.
Start free trialBook a demo

What is SOC 1?

SOC 1 (System and Organization Controls 1) is the AICPA attestation report addressing a service organization's controls that are relevant to its user entities' Internal Control over Financial Reporting (ICFR). It is the modern descendant of SAS 70, now issued under SSAE 18 attestation standards.

SOC 1 reports come in two flavors: Type I (design of controls at a point in time) and Type II (design and operating effectiveness over a period, typically 6-12 months). External auditors of your customers rely on SOC 1 Type II reports when deciding whether to rely on your controls for their customers' financial-statement audits.

Who needs SOC 1

Service organizations whose operations directly affect customers' financial reporting — payroll providers, billing systems, transaction processors, ERP hosting providers, fund administrators, and many SaaS companies serving regulated public-company customers. If your customers' external auditors regularly ask for your SOC 1, you need one.

How episki helps

SOC 1 and SOC 2 share substantial overlap in control activities — change management, access reviews, monitoring, and incident response are common to both. episki keeps the two engagements in one workspace with a unified control library and evidence locker, so you stop maintaining parallel programs.

SOC 1 Type I/II outcomes with episki

Quantify the impact security and compliance brings to your business.
Type I + II
Both point-in-time and period-of-time SOC 1 reports supported.
SSAE 18
Reports built per the current AICPA SSAE 18 attestation standard.
CUEC
Complementary User Entity Control documentation tracked alongside your own controls.

Why teams choose episki for SOC 1 Type I/II

Framework-specific automation, collaboration, and reporting in one workspace.
Control objectives and procedures
A library of common SOC 1 control objectives with mapped control activities and testing procedures.
  • Control objectives library by domain
  • Testing procedures aligned to SSAE 18
  • Evidence organized per control activity
Carve-out and inclusive
Track subservice organizations with the carve-out or inclusive method.
  • Carve-out subservice organization tracking
  • Inclusive method workflows for tightly coupled subservices
  • SOC 1 sub-processor risk reviews via TPRM
Cross-mapped to SOC 2
Many controls do double duty across SOC 1 and SOC 2. Map once, evidence once, report twice.
  • Shared control library between SOC 1 and SOC 2
  • Single evidence locker
  • Auditor portal supports both engagement types

SOC 1 readiness inside episki

From scoping to signed report — what you need preloaded.

Plug episki into your stack and work directly from this checklist during the free trial.

  • Control objectives library scoped to your service
  • Subservice organization treatment (carve-out / inclusive)
  • Complementary User Entity Controls (CUECs) documented
  • Type I or Type II report-period decision support
  • Auditor portal with PBC and walkthrough management
  • Cross-mapping to SOC 2 for shared scope
SOC 1 accelerators

SOC 1 program accelerators

Issue your first SOC 1 without ripping up your SOC 2 program.
Scoping wizard
Determine relevant control objectives based on your service offering.
CUEC catalog
Pre-written Complementary User Entity Controls customizable per customer.
SOC 1 ↔ SOC 2 crosswalk
Reuse evidence across both engagements with a clear mapping.

SOC 1 frequently asked questions

Other compliance frameworks

CCPA / CPRACMMCFedRAMPGDPRHIPAAHITRUST CSFISO 27001ISO 27701ISO 42001NIST 800-171NIST 800-53NIST CSFPCI DSSSOC 2 Type I/IISOX

Issue SOC 1 in episki

Stand up the SOC 1 engagement alongside your SOC 2, sharing evidence and auditor workflows.
Start free trialBook a walkthrough