SOC 1 Training

The practitioner course for UK service organisations with US clients. CPD-certified SOC 1 (SSAE 18) training covering Type I and Type II reporting, control objectives, audit evidence collection, and assurance report readiness.

CPD-Certified · Practitioner Level · SOC 1 / SSAE 18 · US-Market Compliance · Online

Start Your AssessmentSee How It Works

What Is SOC 1 Training?

SOC 1 training is professional development in the AICPA SOC 1 framework — the US standard (SSAE 18) for assurance reports on service organisation controls relevant to user entities' financial reporting. It covers Type I and Type II report structures, control design, audit evidence, and engagement readiness for UK service organisations with US enterprise clients.

If your organisation provides outsourced services to US enterprises — payroll processing, fund administration, claims handling, data centre operations — your clients' auditors will require a SOC 1 report under SSAE 18. SOC 1 is the US AICPA equivalent of ISAE 3402, and understanding both standards is increasingly required of UK service organisation compliance teams.

This CPD-certified course equips UK professionals with the practical technical knowledge to design SOC 1-compliant controls, produce a management assertion, work effectively with CPA firms conducting the examination, and prepare for SOC 1 Type I or Type II audits.

SOC 1 Course Curriculum

The SOC 1 curriculum takes you from standard interpretation to a complete audit-ready service organisation controls programme:

SOC 1 Framework Overview

  • History: from SAS 70 to SSAE 16 to SSAE 18 (AT-C 320)
  • SOC 1 vs ISAE 3402 vs SOC 2: what to use and when
  • Who requests SOC 1 reports: US clients, investment managers, audit firms
  • Trust and compliance: why SOC 1 matters to UK-based service organisations

Report Design

  • Scoping the system description: boundaries and inclusions
  • Inclusive vs carve-out method: sub-service organisation decisions
  • Control objectives: defining what you are asserting
  • Mapping financial reporting risks to control objectives

Evidence and Testing

  • What US CPA firms test and how to prepare
  • Evidence types: inquiry, observation, re-performance, inspection
  • Population selection and sample sizes under SSAE 18
  • Exception rates, deviations, and how they affect the auditor's opinion

Audit Readiness

  • Readiness assessment: scoring your SOC 1 preparation
  • Gap remediation: prioritising control improvements by risk
  • Auditor selection: choosing a US CPA firm with UK presence
  • Managing the audit timeline: from engagement letter to report issuance

Dual-Standard Reporting

  • Running SOC 1 and ISAE 3402 simultaneously: shared evidence and controls
  • SOC 1 and ISO 27001 overlap: leveraging ISMS evidence for SOC 1
  • Managing multi-standard compliance calendars
  • Post-report activities: distributing SOC 1 reports and managing client queries
GRC Essentials Training
ISAE 3402 Training
SOC 1 Training
SOC 2 Training
ISAE 3000 Training
ISO 27001 Training
GRC Advanced / DORA & NIS2 Training
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

What You Will Learn: SOC 1 Modules

The SOC 1 practitioner course covers the SSAE 18 framework from foundations to a complete audit-ready posture:

Module

What You Will Learn

Module 1: SOC 1 & SSAE 18 Foundations
Understand SOC 1 purpose, scope, and the SSAE 18 (AT-C Section 320) standard. Covers how SOC 1 differs from SOC 2, ISAE 3402, and SOC 3 — and when SOC 1 is required by US enterprise clients.
Module 2: Type I vs Type II Reports
Master Type I (design suitability at a point in time) vs Type II (operating effectiveness over a period). Understand the implications for your service organisation and what US clients typically require.
Module 3: Control Objectives & Scope Definition
Define control objectives aligned to user entity financial statement assertions. Scope the system description, and determine whether to use inclusive or carve-out methodology for sub-service organisations.
Module 4: CPA Firm Requirements & Evidence
Understand what a US CPA firm will test, how to prepare evidence, and how to manage the examination process — including population selection, sample sizes, and exception handling.
Module 5: Report Structure & Management Assertion
Navigate the SOC 1 report components — system description, management assertion, auditor's report, and control matrices. Understand opinion types and what qualified opinions mean for your clients.
Module 6: SOC 1 Readiness for UK Organisations
Practical readiness assessment for UK service organisations — bridging from UK controls frameworks (ISAE 3402, ISO 27001) to SSAE 18 requirements, and managing dual-standard reporting programmes.

Why Choose GRC Index for SOC 1 Training?

GRC Index is the only UK-based CPD-certified training provider offering dedicated SOC 1 (SSAE 18) training alongside ISAE 3402 — recognising that many UK service organisations must satisfy both US clients (SOC 1) and European clients (ISAE 3402) with separate but related assurance reports. Our SOC 1 training is developed by practitioners who have managed dual-standard ISAE 3402 and SOC 1 programmes for UK service organisations — giving you the practical knowledge to run both simultaneously without duplicating effort.

Advantage

Detail

UK-to-US Bridge
Specifically designed for UK service organisations navigating US AICPA requirements — not a US-market repackage
SOC 1 + ISAE 3402 Dual Coverage
Offered alongside dedicated ISAE 3402 training — enabling dual-standard programme design
CPA Firm Readiness Focus
Practical content on what US CPA firms look for — not just what the standard says
CPD-Certified — 10 Hours
Recognised for IIA, ACCA, ICAEW, ISACA professional body CPD requirements
GRC Score Connection
SOC 1 controls map directly to GRC Index Compliance and Governance domain scores

Who Should Take SOC 1 Training?

SOC 1 training is designed for UK professionals at service organisations with US client obligations:

Professional Role

Why This Course Matters

Internal Auditors at Service Organisations
Manage SOC 1 evidence collection, coordinate with US CPA firms, and lead remediation programmes for UK organisations with US clients
Service Organisation Compliance Teams
Understand SOC 1 requirements and management assertion obligations — critical for operations and shared services teams with US enterprise contracts
CFOs & Finance Directors at Service Organisations
Understand personal responsibility under the management assertion and the implications of qualified SOC 1 opinions for client relationships
Fund Administrators & Custodians
Fund administration and custody businesses commonly subject to SOC 1 requirements from US investment managers and limited partners
Payroll & HR Outsourcing Providers
Payroll processors and HR service providers with US multinational clients requiring SSAE 18 assurance on payroll controls
IT Governance & Operations Teams
IT operations teams providing services within SOC 1 scope — data centres, application hosting, and managed services for US financial services clients

Frequently Asked Questions: SOC 1 Training

What is SOC 1 training?

+

SOC 1 training is professional development in the AICPA SOC 1 framework (SSAE 18 / AT-C Section 320) — the US assurance standard for service organisation controls relevant to financial reporting. It covers Type I and Type II report structures, control objective design, audit evidence, and readiness for CPA firm examinations.

What is the difference between SOC 1 and ISAE 3402?

+

SOC 1 (SSAE 18) and ISAE 3402 serve the same purpose but apply different standards. SOC 1 is the US AICPA standard used by US enterprise clients and investment managers. ISAE 3402 is the international IAASB standard used by European and UK clients. Many UK service organisations obtain both reports for different client markets. GRC Index offers dedicated training for each.

Who needs a SOC 1 report?

+

Service organisations whose operations affect their clients' financial reporting require SOC 1 (SSAE 18) reports when serving US enterprise clients. This includes fund administrators, payroll processors, transfer agents, data centre operators, claims administrators, and IT managed service providers with US financial services clients.

What is the difference between SOC 1 Type I and Type II?

+

A SOC 1 Type I report confirms that controls are suitably designed as at a specific point in time. A SOC 1 Type II report confirms that controls operated effectively over a defined period (typically 6–12 months). US clients almost universally require Type II reports for ongoing vendor compliance. GRC Index training covers both in detail.

How does SOC 1 differ from SOC 2?

+

SOC 1 covers controls relevant to user entity financial reporting — payroll accuracy, transaction processing, custody controls. SOC 2 covers data security, availability, and privacy controls using the AICPA Trust Services Criteria. SOC 1 and SOC 2 serve different purposes and different client populations. Many technology service organisations obtain both.

Is SOC 1 training CPD-certified?

+

Yes. GRC Index SOC 1 training awards 10 CPD hours upon completion. CPD credits are recognised towards IIA, ACCA, ICAEW, ISACA, and CISI professional body membership requirements.

GRC Essentials Training
ISAE 3402 Training
SOC 1 Training
SOC 2 Training
ISAE 3000 Training
ISO 27001 Training
GRC Advanced / DORA & NIS2 Training
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Quick Links

HomeAbout UsHow It WorksStart AssessmentContact

Contact Us

info@grci.net

(+44) 203 1264430

63-66 Hatton Garden, EC1N 8LE London, UK.

Start Your Assessment

© 2025 GRC Index. All rights reserved.