We are delighted to announce that we have successfully achieved our SOC 1 Type 2 unqualified report, a significant milestone that underscores our commitment to the highest standards of operational controls and security.
Whilst our software does not directly handle financial data, we undertook this rigorous assessment to ensure that our processes and systems meet the most exacting standards, providing our customers with the confidence that our controls operate reliably and consistently.
SOC 1 Type 2 is an independent assurance report, developed by the American Institute of Certified Public Accountants (AICPA), which evaluates the design and operating effectiveness of controls over a defined period. Although this standard originates in the United States, it is widely recognised internationally and is particularly valued by customers whose financial reporting is subject to US auditing standards. By achieving SOC 1 Type 2, we make it easier for these organisations to rely on our controls in support of their own audit and compliance requirements.
What Is SOC 1 Type 2?
SOC (System and Organisation Controls) reports are independent assessments developed by the American Institute of Certified Public Accountants (AICPA). A SOC 1 report focuses specifically on controls relevant to financial reporting. It is designed to provide assurance that a service organisation has appropriate controls in place that could impact a customer’s internal financial controls.
A Type 2 report goes one step further than Type 1. While a SOC 1 report assesses the design of controls at a specific point in time, a SOC 1 Type 2 report evaluates both the design and the operating effectiveness of those controls over a defined period, typically six to twelve months. This means our controls have been tested in real-world conditions and shown to work consistently over time.
Achieving SOC 1 Type 2 requires extensive documentation, evidence gathering and independent testing by an external auditor. It is widely recognised as one of the most robust and demanding assurance reports available.
How SOC 1 Type 2 Differs from ISO Accreditations and Cyber Essentials
We already hold ISO accreditations (9001/27001) along with Cyber Essentials, SOC 1 Type 2 complements these rather than replacing them. Each framework serves a different purpose and audience.
ISO standards, such as ISO 9001/27001, focus on establishing and maintaining quality and security management systems. They assess whether an organisation has the right policies, procedures and governance in place to manage risk, particularly around quality and information security. ISO certification demonstrates that quality and security are embedded into how the organisation operates on an ongoing basis.
Cyber Essentials, meanwhile, is a UK government-backed scheme that focuses on baseline cyber security hygiene. It provides assurance that key technical controls are in place to protect against common cyber threats, such as malware, phishing and unauthorised access.
SOC 1 Type 2 is different in both scope and emphasis. Rather than focusing primarily on quality and security management or technical controls, it is concerned with controls that impact financial reporting and how reliably those controls operate over time. It is highly evidence-driven and designed specifically to support customer audits and regulatory requirements.
Together, ISO approvals, Cyber Essentials accreditations and SOC 1 Type 2 provide a comprehensive picture: strong governance, robust cyber security foundations and independently verified operational controls.
Why SOC 1 Type 2 Matters to Our US-Based Customers
SOC reporting originated in the United States and is deeply embedded in US regulatory and audit practices. For organisations with headquarters or parent companies in the US, SOC 1 Type 2 is often a critical requirement when engaging third-party suppliers.
US-based customers are frequently subject to stringent internal controls over financial reporting, including Sarbanes-Oxley (SOX) requirements. Using service providers without appropriate SOC assurance can create audit challenges, increase risk and require additional oversight.
By achieving SOC 1 Type 2, we make it significantly easier for our US customers to work with us confidently. They can rely on an independent, internationally recognised report rather than conducting their own extensive audits or assessments. This reduces friction, speeds up procurement and reinforces trust in our ability to support their compliance obligations.
A Commitment to Continuous Improvement
Achieving SOC 1 Type 2 is not a one-off exercise. It reflects a culture of continuous improvement and accountability, with controls that are embedded into day-to-day operations rather than created solely for audit purposes.
The SOC 1 Type 2 assessment was conducted with the support of leading professional services organisation Grant Thornton, providing independent assurance on the design and operating effectiveness of our controls.
Louise Shenton, Head of Compliance & Governance commented:
“Achieving SOC 1 Type 2 underlines our ongoing commitment to security, resilience and operational excellence. This was a significant achievement and a huge team effort across the business and I would like to thank everyone involved for their dedication and hard work.
We continually review and strengthen our controls and we are constantly exploring new ways to stay ahead of evolving risks and regulatory expectations. As a global leader in workforce and duty management, this milestone gives our customers confidence that they can rely on us today and into the future.”
