SOC 1

SOC 1 is the AICPA report that attests to controls relevant to a customer's financial reporting. It is what auditors of public companies look for when a vendor processes financial transactions.

SOC 1 vs SOC 2 vs SOC 3

SOC 1 reports assess controls at a service organization that are relevant to user entities' internal control over financial reporting (ICFR). SOC 2 reports assess controls relevant to security, availability, processing integrity, confidentiality, and privacy (the AICPA Trust Services Criteria) and are the most common procurement ask for SaaS and AI vendors. SOC 3 is a general-use summary of SOC 2 results, publishable without NDA. Most AI vendors will produce SOC 2 reports; a vendor whose product directly produces or processes amounts that flow into customer financial statements (payroll AI, AP automation, revenue recognition tooling) may also need SOC 1.

When SOC 1 matters for AI buyers

If you are a public company or are audited under PCAOB or SOX, and the AI vendor's output materially affects financial statements (e.g., an AI that classifies transactions, projects revenue for accruals, or computes loan loss reserves), your external auditor will ask whether the vendor has a SOC 1 report. The report lets your auditor rely on the vendor's controls instead of re-testing them. Without it, your auditor may need direct testing or qualify the opinion.

Type I vs Type II

As with SOC 2: Type I is design-only at a point in time; Type II is operating effectiveness over a period (usually 6-12 months). Procurement should default to Type II for any vendor that has been in business long enough to produce one. The observation window matters; if a vendor's first Type II covers Jan-Jun and your audit covers a calendar year, your auditor may want a bridge letter for the gap.