System and Organization Controls (SOC) for Service Organizations are internal control reports created by the American Institute of Certified Public Accountants (AICPA). They're intended to examine services provided by a service organization so that end users can assess and address the risk associated with an outsourced service.
A SOC 1 Type 2 attestation is performed under:
SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (AICPA, Professional Standards).
SOC 1 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (AICPA Guide).
Aside from the AICPA Statement on Standards for Attestation Engagements 18 (SSAE 18), the Office 365 SOC 1 Type 2 audit is conducted in accordance with the International Standard on Assurance Engagements No. 3402 (ISAE 3402). The SOC 1 attestation has replaced SAS 70, and it's appropriate for reporting on controls at a service organization relevant to user entities internal controls over financial reporting. A Type 2 report includes auditor's opinion on the control effectiveness to achieve the related control objectives during the specified monitoring period.
Microsoft in-scope cloud platforms & services
Microsoft online services in scope are shown in the Azure SOC 1 Type 2 attestation report:
Office 365, Office 365 U.S. Government, Office 365 U.S. Government - High, Office 365 U.S. Government Defense
Power Apps
Power Automate
Power BI
Power Virtual Agents
Update Compliance
Azure, Dynamics 365, and SOC 1
For more information about Azure, Dynamics 365, and other online services compliance, see the Azure SOC 1 offering.
Office 365 and SOC 1
Office 365 environments
Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.
This section covers the following Office 365 environments:
Client software (Client): commercial client software running on customer devices.
Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.
Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.
Office 365 applicability and in-scope services
Use the following table to determine applicability for your Office 365 services and subscription:
Applicability
In-scope services
Commercial
Compliance Manager, Customer Lockbox, Delve, Exchange Online Protection, Exchange Online, Forms, Griffin, Identity Manager, Lockbox (Torus), Microsoft Teams, MyAnalytics, Office 365 Customer Portal, Office 365 Microservices (including but not limited to Kaizala, ObjectStore, Sway, PowerPoint Online Document Service, Query Annotation Service, School Data Sync, Siphon, Speech, StaffHub, eXtensible Application Program), Office Online, Office Services Infrastructure, OneDrive for Business, Planner, PowerApps, Power BI, Project Online, Service Encryption with Microsoft Purview Customer Key, SharePoint Online, Skype for Business
GCC
Microsoft Entra ID, Compliance Manager, Delve, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, MyAnalytics, Office 365 Advanced Compliance add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business, Stream
GCC High
Microsoft Entra ID, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, Office 365 Advanced Compliance add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business
DoD
Microsoft Entra ID, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, Office 365 Advanced Compliance add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, Power BI, SharePoint Online, Skype for Business
You must have an existing subscription or free trial account in Office 365 or Office 365 U.S. Government to download SOC 1 and SOC 2 attestation reports and any bridge letters as needed.
Frequently asked questions
How often are Office 365 SOC reports issued?
Microsoft commissions a full SOC 1 Type 2 and SOC 2 Type 2 examination of Office 365 annually. The auditor's reports on these examinations (also known as audits) are issued as soon as they are ready after that audit. The SOC 3 report, which is based on the SOC 2 examination, is issued at the same time.
Because Microsoft doesn't control the investigative scope of the examination nor the timeframe of the auditor's completion, there's no set timeframe when these reports are issued. The reports are usually issued a few months after the end of the period under examination. Microsoft doesn't allow any gaps in the consecutive periods of examination from one examination to the next.
Microsoft also commissions a mid-year SOC 1 Type 1 and SOC 2 Type 1 examination of Office 365 for new Microsoft services that have been issued since the last SOC Type 2 audit. Type 1 audits don't look back over a period of performance.
Due to the sophisticated nature of Office 365, the service scope is large if examined as a whole. This can lead to examination completion delays due to scale. Microsoft organizes all the examinations described previously into 2 categories: Core Services and Microservices. Microsoft issues a report scoped to each examination.
SOC Type 2 audits examine a rolling 12-month run window (also known as the audit period or more formally period of performance) with examinations conducted annually for the period 1-October through 30-September of the next calendar year. The examination starts promptly after the period of performance is complete.
Microsoft also issues bridge letters (also known as gap letters). These are self-attestations by Microsoft, not reports based on examinations by the auditor. Bridge letters are issued during the current period of performance that isn't yet complete and ready for audit examination. Microsoft issues bridge letters at the end of each quarter to attest our performance during the prior three-month period. Due to the period of performance for the SOC type 2 audits, the bridge letters are typically issued in December, March, June, and September of the current operating period.
How can customers benefit from Office 365 SOC 1 Type 2 attestation?
Customers can use the Office 365 SOC 1 Type 2 attestation when pursuing their own financial industry-specific compliance requirements such as Sarbanes-Oxley (SOX), Federal Financial Institutions Examination Council (FFIEC), Gramm-Leach-Bliley Act (GLBA), and others.
Where can I get the Office 365 SOC audit documentation including Microsoft's bridge letters?
For links to audit documentation, see the audit report section of the Service Trust Portal. You must have an existing subscription or free trial account in Office 365 or Office 365 U.S. Government to sign in. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.
Where can I see management responses to exceptions noted?
Most examinations have some observations on one or more of the specific controls examined. Some number of observations is to be expected. Management responses to any exceptions are located towards the end of the SOC attestation report. Search the document for 'Management Response.'
Where can I see user entity responsibilities?
User entity responsibilities are your control responsibilities necessary if the system as a whole is to meet the SOC 2 control standards. These are located at the very end of the SOC attestation report. Search the document for 'User Entity Responsibilities.'
Use Microsoft Purview Compliance Manager to assess your risk