What is a SOC 1 and Do You Need One?
So, you have a customer telling you they need your SOC 1 report, but you do not currently have one and you need guidance on how to obtain one. This is a common problem we see in clients and is generally a positive sign that your firm is growing and obtaining larger customers that need assurance over your business processes as a component of their due diligence procedures. Whatever your current familiarity with SOC reports, this article will hopefully provide insights into the SOC 1, help you determine if the SOC 1 is right for your organization, and provide you steps on how to obtain a report.
SOC 1 Overview
A System and Organization Controls 1 (SOC 1) report at a high level is an internal control reporting framework leveraged by service organizations whose service offerings affect internal control over financial reporting of their customers. The information documented in a SOC 1 report is examined by an independent CPA firm and accompanied by the independent auditor’s report opining on the fairness of the presentation of the information within the report, the suitability of the design of the control activities documented within the report, and in most cases the operating effectiveness of the control activities over a specified period. SOC 1 reports are obtained by service organizations and used by their customers and/or their customers financial statement auditors to gain assurance over the controls at the service organization that could impact the customer’s financial reporting.
SOC 1 examinations are governed by standards issued by the American Institute of Certified Public Accountants (AICPA). These standards are codified into Statements on Standards for Attestation Engagements (SSAEs) – the most recent SSAE publication affecting SOC reports was the 18th edition, therefore, SOC reports are occasionally referred to as SSAE 18 reports.
At the time of this writing there are currently five types of SOC reports: SOC 1, SOC 2, SOC 3, SOC for Cybersecurity, and SOC for Supply Chain (see our blog here discussing the nuances of each). SOC 1 reports are unique in that their focus is on the controls affecting the financial reporting of users of the service organization’s offerings. SOC 1 reports are also uniquely flexible in that they do not have a preestablished set of control criteria, rather service organizations are able to define their own control objectives that are relevant to the financial statement assertions of their broad base of customers. This allows SOC 1 reports to be truly customizable to the needs of service organizations, their customers, and their customers financial statement auditors. Control objectives can be crafted to mitigate operational, transactional, reporting, compliance, or general information technology risks. An experienced CPA firm can assist in the development of these control objectives after obtaining an understanding of your environment.
There are two types of SOC 1 reports conveniently labelled Type I and Type II reports. The difference between the two reports resides in whether the assertion by management and subsequently the examination procedures by the service auditor include the operating effectiveness of the control activities presented over a specified period. In a Type I report the service auditor will report on the fairness of the presentation of the described system and on the suitability of the design of the controls presented. A Type II report will include the same procedures as a Type I; however, it will also include an evaluation of the operating effectiveness of the specified control activities over a predetermined period. Typically, most users of a SOC 1 (your customers and their financial statement auditors) will ultimately expect to see a Type II report to obtain assurance over the operating effectiveness of the controls presented.
Layout of the Report
The SOC 1 report is organized into the following five sections:
- The Independent Service Auditors Report
- Management’s Assertion
- Description of the System
- Control Objectives and Related Control Activities (in the case of a Type II report this section will also include the service auditor’s tests of controls and results)
- Other Information provided by the Service Organization
The initial pages of the SOC 1 report will consist of the independent service auditor’s report including their opinion based on the procedures they performed. The independent opinion provided by a licensed CPA is partially what makes SOC reports so reliable and therefore so widely accepted.
Next will come management’s assertion regarding the fairness of the presentation of the report and the design and operation of the controls stated within. An experienced CPA firm can assist in the presentation of this assertion.
The bulk of the SOC 1 report will consist of what is know as the System Description followed by the specified control objectives and underlying control activities. The System Description is typically a narrative based description of the services being reported upon and contains certain required criteria. Due to the length of these criteria, we will not present them here, however, feel free to contact us and we can provide you more detail.
The System Description can be lengthy and quite intimidating for management of an organization with limited expertise on how to prepare it. An experienced CPA firm or consultant can usually provide guidance to assist in the preparation of the System Description, however the content is ultimately the responsibility of the service organization’s management.
The last examined section of the SOC 1 report consists of the defined control objectives and the specific control activities intended to achieve those control objectives. This information is usually presented in a matrix format and in the case of a Type II report will include the service auditor’s tests of the controls and testing results. The evaluation of this section of the report will encompass the bulk of your service auditor’s procedures.
A fifth section of a SOC 1 report titled Other Information Provided by the Service Organization can optionally be included at the discretion of management. This is an unaudited section of the SOC 1 report and usually serves one of the following purposes:
- It allows management of the service organization to provide a response to control deviations noted by the service auditor and disclosed in the report; or
- It allows management to present further information regarding the service organization, the system evaluated, or other information that may be relevant to users of the report but not necessarily applicable to the scope of the SOC 1.
A SOC 1 report can be a complex endeavor and this high-level overview hopefully provided you context as to the nature of a report.
Still have SOC 1 questions? Contact us to speak with an expert!
Who Needs a SOC 1?
Now that we have a basic understanding of the nature of a SOC 1 report, lets discuss who typically needs one and if a SOC 1 is appropriate for your organization. When organizations choose to outsource components of their business activities to a service organization and those outsourced services become relevant to the internal controls over financial reporting, and therefore relevant to the financial statement auditors of the business, a SOC 1 report may be requested of the service organization. The SOC 1 gives insight to the business and its auditors over the internal control posture of the service organization. A SOC 1 report is only appropriate for a service-based organization, including organizations that offer a service-based product such as a software as a service (SaaS) solution. Common types of organizations who obtain a SOC 1 report include claims processors, transaction processors, collections agencies, financial technology (fintech) platforms, payroll processors, billing agencies, loan servicers, financial institutions, benefit plan providers, etc.
If your organization provides a product or service that impacts the financial statements of your customers, the chances are you will be asked for a SOC 1 at some point in your future. If you have a current or potential customer asking you for a SOC 1, please reach out and we would be happy to provide a complimentary consultation.
Contact us to speak with an expert!
Who Does Not Need a SOC 1?
If your organization does not provide a service or those services do not impact the internal control over financial reporting of your customers, then a SOC 1 report is likely not appropriate for you. As mentioned above, the AICPA offers a suite of SOC reporting frameworks. One of which could likely serve your specific needs. If you are still not sure which SOC report is right for you or have additional questions, please contact us and we’d be happy to discuss your needs.
Contact us to speak with an expert!
How to Obtain a SOC 1?
Obtaining a SOC 1 report can be a daunting process. The first step is to contact a registered CPA firm who offers SOC reporting services, such as AssurancePoint, who can understand your specific needs and walk you through next steps. If it is your first time going through the process, you will likely be advised to undergo a readiness or gap assessment. During this process the CPA firm, an experienced consultant, or even internal personnel with sufficient expertise will walk through your procedures, formalize the scope and control objectives, document a preliminary system description and existing control activities, and identify gaps where control activities may be needed to achieve your control objectives. At AssurancePoint, we offer this service for free to organizations who contract with us for subsequent examinations. See here for why we offer this benefit. Once your readiness assessment is complete you will usually have a period to remediate any identified gaps before you undertake a real examination.
We typically advise clients undergoing their first examination to pursue a Type I report. This examination serves as a great gut-check because it results in a report deliverable that can be provided to your customers, but only includes an evaluation of the design of the control activities as of a point in time. However, a good auditor can inform you of potential concerns with the operating effectiveness of the controls as a component of the Type 1 to further help you sure up your procedures prior to a Type II examination. Because a Type II examination covers the operating effectiveness of controls over a period, this type of examination will be much more exhaustive and can take one or more weeks or even months depending on the scope of the system and complexity of the environment. The Type II is generally the eventual expectation of most users of the SOC 1 report.
Obtaining a SOC 1 report is a commitment that should not be taken lightly. Engaging with an experienced CPA firm that is easy to work with and can provide valuable insights throughout the process can make all the difference. You should know the team you will be working with and their experience level prior to engaging with a firm. Keep in mind that in many firms the professional you speak with during initial consultations will most likely not be the individual you are actively working with throughout your project. At AssurancePoint, our senior management is actively involved at the project level to ensure a quality experience for our clients. Please contact us for a complimentary consultation if you believe you need to obtain a SOC 1 report.
Contact us to speak with an expert!
SOC 1 reports can seem complicated and the examination process intimidating. Hopefully, this article addressed questions or concerns you may have had. The process to obtain a SOC 1 report can be fulfilling and add value to your organization if done correctly. If you are undergoing a SOC 1 report for the first time, or looking for a new service auditor for your existing report, please contact us and we will have an expert reach out to discuss any additional questions or needs you might have. Contact us to speak with an expert!