Skip to main content
SOC 1 is the AICPA report focused on internal controls over financial reporting (ICFR) at a service organization. It’s distinct from SOC 2 (security) and applies when your SaaS is part of your customers’ financial reporting chain.

Do you need SOC 1?

You probably need SOC 1 if your customers ask for it during procurement OR if any of these apply:
  • Payroll processing — your SaaS issues paychecks, W-2s, 1099s
  • Billing and invoicing — your SaaS generates invoices customers post to GL
  • Payment processing — your SaaS settles payments to customer bank accounts
  • Accounting / GL automation — your SaaS posts journal entries
  • Inventory / supply chain valuation — your SaaS assigns costs that flow into inventory accounts
  • Time-and-attendance — your SaaS produces timesheet data that drives payroll calc
Pure data tools (analytics, monitoring, internal collaboration) typically don’t need SOC 1. Layer doesn’t need SOC 1 — Codex doesn’t either. But if you sell to F500 finance teams, expect to be asked.

SOC 1 Type I vs Type II

SOX 404 (the public-company internal-controls regime) makes Type II non-negotiable for serving public-company customers. Public customers need to rely on your SOC 1 Type II to satisfy their own SOX 404 obligations.

SOC 1 vs SOC 2 — overlap and distinction

There’s significant overlap — about 40% of controls map directly. Codex tracks both frameworks in parallel without duplicate work.

Codex’s role for SOC 1

Codex doesn’t perform the audit (your CPA firm does that), but it provides the evidence the auditor will request for IT General Controls (ITGCs) — the five-question framework auditors use to evaluate the IT environment supporting your application:

1. Logical access (most evidence here)

2. Change management

3. Computer operations

4. Data integrity

5. Information security

Mirrors SOC 2 CC6/CC7 controls. Codex’s SOC 2 evidence covers this.

What auditors specifically look for in SOC 1

  • Population completeness — when the auditor samples a control (e.g. “show me 25 PR review records”), Codex’s audit log must demonstrate the sample is from the complete population, not cherry-picked.
  • Control owner identification — every control needs a named owner. Codex tracks the assignee per control.
  • Independent review — controls performed by the same person who created the work being controlled don’t satisfy ITGCs. Codex flags self-approving PRs and similar self-reviews as exceptions.
  • Period coverage — the Type II observation window must show every control operated continuously. Codex’s continuous evidence collection makes this trivial; the gap is documented in the SOC 1 if a control was added partway through the period.

When you’re ready

Reports → SOC 1 evidence package outputs:
  • ITGC evidence per category with timestamps
  • Population completeness samples (random samples auditor can verify against full data)
  • Exception register (controls that didn’t operate; documented justification)
  • Bridge letter template (used between Type II audit periods to extend reliance)
Most SOC 1 auditors accept Codex packages directly; some require evidence in their own portal — Codex CSV export covers that.