SOC 1’s are intended to discuss the internal controls for financial reporting (ICFR). Think about it this way, if your service has an impact on the financial statements of your customers, then you will likely be looking at a SOC 1. But those financial related controls aren’t the only thing that might be in the report. You may find that you also need to report on some of the things you would find in a SOC 2, like security, confidentiality, etc. Those can be incorporated as well because, in SOC 1, you define the Control Objectives.

Did this answer your question?