System and Organization Controls (SOC) 1 Type 2

SOC 1 Type 2 overview

System and Organization Controls (SOC) for Service Organizations are internal control reports created by the American Institute of Certified Public Accountants (AICPA). They are intended to examine services provided by a service organization so that end users can assess and address the risk associated with an outsourced service.

A SOC 1 Type 2 attestation is performed under:

  • SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (AICPA, Professional Standards).
  • SOC 1 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (AICPA Guide).

The SOC 1 attestation has replaced SAS 70, and it is appropriate for reporting on controls at a service organization relevant to user entities internal controls over financial reporting. A Type 2 report includes auditor’s opinion on the control effectiveness to achieve the related control objectives during the specified monitoring period.

Azure and SOC 1 Type 2

Microsoft Azure, Dynamics 365, and other Microsoft online services undergo regular independent third-party audits for SOC 1 Type 2 compliance. For more information, see the Azure SOC 1 Type 2 attestation report. Aside from the AICPA Statement on Standards for Attestation Engagements 18 (SSAE 18), the Azure SOC 1 Type 2 audit is conducted in accordance with the International Standard on Assurance Engagements No. 3402 (ISAE 3402).

Applicability

  • Azure
  • Azure Government

Services in scope

Microsoft online services in scope are shown in the Azure SOC 1 Type 2 attestation report:

  • Azure (for detailed insight, see Microsoft Azure Compliance Offerings or Azure SOC 1 Type 2 attestation report)
  • Azure DevOps (see separate Azure DevOps SOC 1 Type 2 attestation report)
  • Dynamics 365 (for detailed insight, see Azure SOC 1 Type 2 attestation report)
  • Microsoft 365 Defender (formerly Microsoft Threat Protection)
  • Microsoft Cloud App Security (MCAS)
  • Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection)
  • Microsoft Defender for Identity (formerly Azure Advanced Threat Protection)
  • Microsoft Forms Pro (not in scope for Azure Government)
  • Microsoft Graph
  • Microsoft Intune
  • Microsoft Managed Desktop (not in scope for Azure Government)
  • Microsoft Stream
  • Microsoft Threat Experts (not in scope for Azure Government)
  • Nomination Portal
  • Power Apps
  • Power Automate (formerly Microsoft Flow)
  • Power BI
  • Power Virtual Agents (not in scope for Azure Government)
  • Update Compliance (not in scope for Azure Government)

Office 365 and SOC 1 Type 2

For more information about Office 365 compliance, see Office 365 SOC 1 documentation.

Audit reports

You can access audit reports and certificates in the Azure or Azure Government portal by navigating to Home > Security Center > Regulatory compliance > Audit reports or using direct links based on your subscription (login required):

You must have an existing subscription or free trial account in Azure or Azure Government to download SOC 1 and SOC 2 attestation reports and any bridge letters as needed. Azure SOC 3 attestation report is publicly available.

Azure DevOps SOC 1 Type 2 attestation report is available separately from the Service Trust Portal Audit Reports - SOC Reports section.

Frequently asked questions

How often are Azure SOC reports issued?
SOC reports for Azure, Dynamics 365, and other online services are based on a rolling 12-month run window (audit period) with new reports issued semi-annually (period ends are March 31 and September 30). Bridge letters are issued each quarter to cover the prior three-month period. For example, the January letter covers 1-Oct through 31-Dec, the April letter covers 1-Jan through 31-Mar, the July letter covers 1-Apr through 30-Jun, and the October letter covers 1-Jul through 30-Sep.

How can customers benefit from Azure SOC 1 Type 2 attestation?
Customers can leverage the Azure SOC 1 Type 2 attestation when pursuing their own financial industry specific compliance requirements such as Sarbanes-Oxley (SOX), Federal Financial Institutions Examination Council (FFIEC), Gramm-Leach-Bliley Act (GLBA), and others.

Where can I get the Azure SOC audit documentation including bridge letters?
For links to audit documentation, see Audit reports. You must have an existing subscription or free trial account in Azure or Azure Government to login. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.

Azure DevOps customers who can't access the Service Trust Portal can email Azure DevOps for its SOC 1 and SOC 2 reports. This email is to request Azure DevOps SOC reports only.

Where can I see management responses to exceptions noted?
Management responses are located towards the end of the SOC attestation report. Search the document for "Management Response".

Where can I see user entity responsibilities?
User entity responsibilities are located at the very end of the SOC attestation report. Search the document for "User Entity Responsibilities".

Resources