SOC 1

A SOC 1 report documents a cloud service provider’s internal controls that may be relevant to a customer’s financial reporting. This report is particularly useful for organizations that audit financial statements.

SSAE 18 / ISAE 3402 Type II

The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) created the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) to keep pace with globally recognized international accounting standards.

SSAE 18 aligns closely with the International Standard on Assurance Engagements 3402 (ISAE 3402).

SSAE 18 and ISAE 3402 are used to generate a report by an objective third party attesting to a set of assertions made by an organization about its controls. The Service Organization Controls (SOC) framework is the method by which the control of financial information is measured.

Google Cloud undergoes a regular third-party audit to certify individual products against this standard.

Audit Reports

SOC 1 Type 2 reports are issued semi-annually around June and December (period ending 30-April and 31-October) and can be requested via the Compliance Reports Manager, for Google Cloud and Google Workspace. Google creates a total of 3 bridge letters⁽¹ covering a 3 month period on 12/31, 3/31, and 6/30 and are issued 2 weeks after the period ends (e.g. April bridge letter includes January 1 - March 31). Bridge letters can only be created looking back on a period that has already passed. Additionally, bridge letters can only be issued up to a maximum of 6 months after the initial reporting period end date.

Bridge Letters are available separately from the compliance reports manager, and can be obtained by contacting sales.

Potential customers can reach out to sales for more information.

1) Bridge Letters are only available for SOC 1 and SOC 2 Reports