Do you need SOC 1?
You probably need SOC 1 if your customers ask for it during procurement OR if any of these apply:- Payroll processing — your SaaS issues paychecks, W-2s, 1099s
- Billing and invoicing — your SaaS generates invoices customers post to GL
- Payment processing — your SaaS settles payments to customer bank accounts
- Accounting / GL automation — your SaaS posts journal entries
- Inventory / supply chain valuation — your SaaS assigns costs that flow into inventory accounts
- Time-and-attendance — your SaaS produces timesheet data that drives payroll calc
SOC 1 Type I vs Type II
SOX 404 (the public-company internal-controls regime) makes Type II non-negotiable for serving public-company customers. Public customers need to rely on your SOC 1 Type II to satisfy their own SOX 404 obligations.
SOC 1 vs SOC 2 — overlap and distinction
There’s significant overlap — about 40% of controls map directly. Codex tracks both frameworks in parallel without duplicate work.
Codex’s role for SOC 1
Codex doesn’t perform the audit (your CPA firm does that), but it provides the evidence the auditor will request for IT General Controls (ITGCs) — the five-question framework auditors use to evaluate the IT environment supporting your application:1. Logical access (most evidence here)
2. Change management
3. Computer operations
4. Data integrity
5. Information security
Mirrors SOC 2 CC6/CC7 controls. Codex’s SOC 2 evidence covers this.What auditors specifically look for in SOC 1
- Population completeness — when the auditor samples a control (e.g. “show me 25 PR review records”), Codex’s audit log must demonstrate the sample is from the complete population, not cherry-picked.
- Control owner identification — every control needs a named owner. Codex tracks the assignee per control.
- Independent review — controls performed by the same person who created the work being controlled don’t satisfy ITGCs. Codex flags self-approving PRs and similar self-reviews as exceptions.
- Period coverage — the Type II observation window must show every control operated continuously. Codex’s continuous evidence collection makes this trivial; the gap is documented in the SOC 1 if a control was added partway through the period.
When you’re ready
Reports → SOC 1 evidence package outputs:- ITGC evidence per category with timestamps
- Population completeness samples (random samples auditor can verify against full data)
- Exception register (controls that didn’t operate; documented justification)
- Bridge letter template (used between Type II audit periods to extend reliance)