SOC 1 (SSAE 18) Attestation

Your controls, trusted by your client's own auditors.

B4Q performs independent SOC 1 examinations under SSAE 18 for service organizations whose controls affect their clients' financial statements — payroll processors, fund administrators, and SaaS billing platforms among them.

  • SSAE 18-based control objectives
  • Type I & Type II reports
  • Not to be confused with SOC 2
Control Objectives CUECs User Auditor Reliance ICFR
SOC 1
Reliance, Reported
0Years of Experience
0Satisfied Clients
0SSAE Standard Applied
0Client Retention Rate
Why It Matters

When your controls become part of someone else's audit.

If you process payroll, administer funds, run billing, or otherwise touch data that ends up on a client's financial statements, their auditor has to get comfortable with your controls too — not just yours, but the ones that ripple into their books.

A SOC 1 report is how you give their auditor that comfort without a dozen separate site visits: one independent examination of your control objectives that their audit team can rely on directly.

  • 01 Satisfies user auditors instead of fielding repeated ad hoc control questions.
  • 02 Removes SOC 1 as a blocker in enterprise and financial-sector sales cycles.
  • 03 Documents exactly which controls your clients are still responsible for (CUECs).
SOC 1 At a Glance

What actually applies to you

StandardSSAE 18 (AT-C 320)
Report typesType I · Type II
AudienceYour clients' auditors
Common forPayroll, fund admin, SaaS billing
Control objectivesDefined by management, not fixed
CUECsDocumented, client-side responsibility
Who This Applies To

If your controls affect their books, this is for you.

SOC 1 doesn't have a fixed set of criteria like SOC 2 — instead, it's built around the specific control objectives relevant to your service and your clients' financial reporting.

COMMON USE 01

Payroll Processors

Wage calculations and tax withholdings flow directly into client financial statements.

COMMON USE 02

Fund Administrators

NAV calculations and investor reporting underpin fund-level financial statements.

COMMON USE 03

SaaS Billing Platforms

Revenue recognition and invoicing accuracy ripple straight into client revenue lines.

COMMON USE 04

Trust & Custody Services

Asset custody and transaction processing directly affect client account balances.

Choose Your Report

Type I or Type II — scoped to your renewal timeline.

Like SOC 2, SOC 1 comes in two flavors — a point-in-time design opinion, or an operating-effectiveness opinion over a monitoring period.

Point-in-time

SOC 1 Type I

Evaluates whether your control objectives are suitably designed as of a specific date — the fastest way to give user auditors an initial basis for reliance.

2–4 wksTypical fieldwork
1 datePoint-in-time scope
DesignFocus of testing
  • Fastest path to a shareable report
  • Confirms control design before Type II
  • Common first step for new service organizations
Design assessed
Operating tested
Evidence window
Over a period

SOC 1 Type II

Tests whether your control objectives actually operated effectively over an observation period — what most user auditors ultimately need to place reliance for their own audit.

6–12 moObservation window
OngoingEvidence sampling
OperatingFocus of testing
  • The report most user auditors ultimately require
  • Demonstrates sustained control operation
  • Renewed annually to maintain client reliance
Design assessed
Operating tested
Evidence window
How We Work

From control objectives to a report your clients' auditors trust.

Because SOC 1 has no fixed criteria, getting the scope right at the start matters more than in almost any other engagement.

01

Scoping Control Objectives

We define the control objectives relevant to your service and your clients' financial reporting — the foundation of the entire report.

02

Identifying CUECs

Complementary User Entity Controls are documented — the controls your clients still need to operate on their end.

03

Readiness Assessment

We flag control gaps against the defined objectives before the formal examination clock starts.

04

Type I Assessment

Our examiners test whether your controls are suitably designed as of a point in time and issue your Type I report.

05

Observation Period

Controls run and are monitored over your chosen window, building the operating-effectiveness evidence Type II requires.

06

Type II Examination & Report Issuance

We test operating effectiveness across the period and issue the final report your clients can share with their auditors.

Choosing the Right Report

SOC 1 or SOC 2 — most confusion starts here.

The two reports answer different questions. Some service organizations need both.

We offer both. This comparison is here to help you scope the right one, not to steer you toward either.
 SOC 1SOC 2
AnswersDo your controls affect their financial statements?Do your controls protect their data?
CriteriaManagement-defined control objectivesAICPA Trust Services Criteria
Primary audienceYour clients' financial auditorsSecurity & procurement teams
Typical requesterCFO, controller, external auditorCISO, IT, vendor risk team
Common forPayroll, fund admin, billing platformsSaaS, cloud infrastructure, tech vendors
Why B4Q

A report your clients' auditors actually accept.

Scoped correctly the first time, since a poorly scoped SOC 1 creates more questions than it answers.

Control Objectives, Scoped Right

We define objectives around what your clients' auditors actually need to see, not a generic template.

CUECs Documented Clearly

Your clients know exactly what's on them, reducing disputes during their own audit.

SOC 1 & SOC 2, Coordinated

If you need both reports, we run them as one coordinated program, not two separate audits.

Timelines You Can Plan Around

Clear milestones from kickoff to issuance, so your sales team knows what to expect.

50+ Businesses Served

Across payroll, fund administration, and financial-adjacent service organizations.

96% Client Retention

Clients return year after year for their Type II renewal.

Questions

SOC 1, answered.

Do we need SOC 1, SOC 2, or both?
SOC 1 applies if your controls affect your clients' financial statements — payroll, fund administration, billing. SOC 2 applies if your controls protect your clients' data security and privacy. Some service organizations, like payment processors, genuinely need both.
What are control objectives, and who defines them?
Unlike SOC 2's fixed Trust Services Criteria, SOC 1 control objectives are defined by your management, tailored to your specific service and the financial reporting risks it creates for your clients. Getting this scope right at the start is the most important step in the engagement.
What are CUECs?
Complementary User Entity Controls are controls your report assumes your clients are operating on their own end — for example, reviewing payroll reports before approval. They're documented in the report so both sides know exactly where responsibility sits.
Who actually reads a SOC 1 report?
Primarily your clients' financial statement auditors, along with their CFOs and controllers — it's a restricted-use report intended for that specific audience, not a general marketing document.
How long does a SOC 1 examination take?
A Type I report can often be issued within a few weeks once scoping is complete. A Type II report requires an observation period, typically six to twelve months, before the examination and issuance.

Ready for a report your clients' auditors trust?

Book a free strategy call and we'll scope the right control objectives for your service.