>

SOC 1 (SSAE 18 / ISAE 3402) — Gap Analysis

AICPA SSAE 18 / ISAE 3402 — Internal Control Over Financial Reporting
SOC 1 2017 Edition All Gaps only
Compliant
Partial
Non-compliant
Not assessed

About SOC 1 (SSAE 18 / ISAE 3402)

SOC 1 is a service organisation control report focused on Internal Control over Financial Reporting (ICFR). It is governed by SSAE 18 (AICPA, US) and ISAE 3402 (IAASB, international). User entities and their financial auditors rely on SOC 1 reports to assess controls at service organisations that impact their financial statements. Type I covers design at a point in time; Type II covers design and operating effectiveness over a period (typically 6–12 months).

Issuing Body

AICPA (US — SSAE 18) / IAASB (International — ISAE 3402)

Edition

2017

Coverage

Internal Control over Financial Reporting (ICFR) at service organisations whose services affect their customers’ financial statements.

Typical Users

Service organisations whose services affect user-entity financial reporting — payroll providers, claims processors, fund administrators, custodians, transaction processors, cloud accounting platforms.

How to use this tool

1. Work through each clause. For each requirement, choose Compliant, Partial, Non-compliant, or leave as Not assessed.

2. Add notes against any requirement to record evidence, gaps, or corrective actions.

3. Click Save progress — data is stored locally in your browser, never uploaded.

4. Export the report as TXT, CSV, JSON or print to PDF for your audit file.

Note: This tool is a guided self-assessment. It does not replace a third-party audit and the authoritative version of the standard must be obtained from the issuing body.

ISO Xpert — Get in touch

UK-based consultancy specialising in management-system gap analysis, training and certification preparation across ISO, API, Halal, GFSI, ESG, cybersecurity and industry-specific standards.

Email

info@iso-xpert.com

Phone / WhatsApp

+44 7853 109840

Office

71-75 Shelton Street, Covent Garden, London WC2H 9JQ, UK

Website

iso-xpert.com

Common Questions

SOC 1 (SSAE 18 / ISAE 3402) ICFR Service Org Controls — Frequently Asked Questions

Quick answers about the SOC 1 (SSAE 18 / ISAE 3402) ICFR Service Org Controls gap analysis tool, data privacy, audit preparation, and ISO Xpert consulting.

What is the SOC 1 (SSAE 18 / ISAE 3402) ICFR Service Org Controls gap analysis tool and how does it work?
The SOC 1 (SSAE 18 / ISAE 3402) ICFR Service Org Controls gap analysis tool is a free browser-based checklist that compares your current management system against the clauses of SOC 1 (SSAE 18 / ISAE 3402) ICFR Service Org Controls. You answer clause-by-clause questions and rate each requirement as Compliant, Partial or Non-compliant. The tool calculates a live compliance score, highlights gaps on a heat-map, captures evidence and corrective-action notes, and exports the full assessment as JSON, CSV, TXT or print-ready PDF for management review and Stage 1 / Stage 2 audit preparation.
Is the SOC 1 (SSAE 18 / ISAE 3402) ICFR Service Org Controls gap analysis tool really free to use?
Yes — the SOC 1 (SSAE 18 / ISAE 3402) ICFR Service Org Controls tool is 100% free with no sign-up, no email capture, no credit card, no watermarks, and no usage limits. It runs entirely in your browser; nothing is transmitted to ISO Xpert servers. You can clear or export your data at any time.
Where is my SOC 1 (SSAE 18 / ISAE 3402) ICFR Service Org Controls assessment data stored?
All SOC 1 (SSAE 18 / ISAE 3402) ICFR Service Org Controls assessment data is stored locally in your browser’s storage. Nothing is uploaded to our servers. This makes the tool GDPR-friendly and suitable for confidential audit data classified up to Restricted. Export anytime as JSON (re-importable), CSV (Excel-pivotable), TXT (executive summary) or PDF (audit-trail evidence).
Can I use this tool to prepare for SOC 1 (SSAE 18 / ISAE 3402) ICFR Service Org Controls certification or surveillance audits?
Yes. The SOC 1 (SSAE 18 / ISAE 3402) ICFR Service Org Controls gap analysis is designed to support preparation for certification by UKAS-, IAS- or ANAB-accredited bodies. Use the exported report as evidence of internal audit, feed it into management review, and prioritise high-severity non-conformities ahead of Stage 1 / Stage 2 visits. ISO Xpert consultants can assist with documented information, internal audits and full implementation if required.
How long does a SOC 1 (SSAE 18 / ISAE 3402) ICFR Service Org Controls gap analysis typically take?
Most users complete an initial SOC 1 (SSAE 18 / ISAE 3402) ICFR Service Org Controls gap analysis in 60 to 120 minutes for a single site, depending on system maturity and clause depth. The tool auto-saves continuously, so you can pause, switch devices via JSON export/import, and resume at any time. Re-assessments after corrective action usually take 20 to 40 minutes.
Does ISO Xpert offer SOC 1 (SSAE 18 / ISAE 3402) ICFR Service Org Controls consulting or training?
Yes. ISO Xpert Ltd (London, UK) provides SOC 1 (SSAE 18 / ISAE 3402) ICFR Service Org Controls gap analysis consulting, internal audits, Stage 1 and Stage 2 certification preparation, lead auditor / internal auditor training, and full management-system implementation. Contact info@iso-xpert.com or WhatsApp +44 7853 109840.

More questions? Contact ISO Xpert or browse other cyber-gap-analysis tools.

Related Tools

More Cyber Tools

Explore other gap analysis and risk-assessment tools in the same category — useful for integrated management systems and cross-standard alignment.

Cyber
SOC 2 (AICPA Trust Services Criteria 2017, rev. 2022) Trust Services Criteria
Cyber
CMMC 2.0 US DoD Cyber Maturity
Cyber
Cyber Essentials Plus (UK NCSC) UK Cyber Baseline
Cyber
HITRUST CSF v11 Healthcare Cyber Framework
Cyber
NIS2 Directive (EU 2022/2555) EU Cyber Resilience
Cyber
NIST Cybersecurity Framework 2.0 Cybersecurity Framework

Browse the full Cyber category or all 125+ ISO Xpert tools.