What is a SOC 1 Audit?

A SOC 1 report is an independent auditor’s report on the internal controls placed in operation by a service organization over the services it provides to user entities when such controls are likely to be relevant to the user entities’ internal controls over financial reporting. Note: As used here, a “service organization” is an entity to which services are outsourced.

What Does “SOC” Stand For?

The term “SOC” was defined as “Service Organization Control” until the meaning of the term was changed by the AICPA. In 2017, the AICPA introduced the term system and organization controls (SOC) to refer to the suite of services practitioners may provide in connection with system-level controls of a service organization and system or entity-level controls of other organizations. For example, the AICPA recently introduced a new service--an examination of an entity’s cybersecurity risk management program and related controls under the name SOC for Cybersecurity.

Service Organizations That May Need a SOC 1

The types of service organizations that may need a SOC 1 report include, among others, providers of:

• IT managed services such as colocation, hosting, cloud and IT department outsourcing.

• Application service providers or software-as-a-service (SaaS) application providers where the application is related to the user entity's financial reporting (e.g., accounting, payroll and benefits processing, etc).

• Credit and debit card payment processing services.

• Health care claims processing services for self-insured organizations.

• Bank trust department services, such as for an employee benefit plan’s assets.

• Custodians of investment securities for investment companies.

• Mortgage servicers or depository institutions that service loans for others.

• Independent system operators in the electric utility industry.

Internal Controls over Financial Reporting

The controls addressed by a SOC 1 report are those that a service organization implements to prevent or detect and correct errors or omissions in information it provides to user entities relevant to their internal controls over financial reporting or “ICFR.” The SOC 1 covers ICFR when such controls are part of the user entity’s financial reporting-related processes and systems but are implemented and maintained by the service organization.

User Entity and User Auditor Needs

SOC 1 reports are intended to meet the needs of entities that use service organizations (user entities) and their independent auditors who audit the user entities’ financial statements (user auditors) when user auditors are evaluating the effect of controls at the service organization on the user entities’ financial statements. User auditors use SOC 1 reports to plan and perform audits of user entities’ financial statements.

A user auditor performing an audit of a user entity’s financial statements is required to perform risk assessment procedures to obtain an understanding of how the user entity uses the services of a service organization. The user auditor is required to assess the risk of material misstatement of the user entity’s financial statements related to the services provided by the service organization.

Although the requirement to assess the risk of material misstatement of the user entity’s financial statements applies to all financial statement audits, user auditors of publicly-traded companies also use SOC 1 reports to report on internal controls in place to comply with Sarbanes-Oxley Act (SOX) obligations.

The User Auditor’s Responsibilities

When any part of the user entity’s financial reporting-related processes and systems are outsourced to a service organization, the user auditor’s aforementioned risk assessment must address controls at the service organization.

Accordingly, the user auditor must obtain an understanding of the service organization’s services, business processes, information systems and accounting records (collectively, “the system”) and the related risks that could negatively impact the integrity of the user entity’s financial statements. The related risks typically relate to the completeness, accuracy and timeliness of financial reporting-related transaction processing; error detection and correction processes; and reporting of events and conditions, other than transactions, that are significant to the financial statements.

The Service Organization’s Responsibilities

In the event a SOC 1 report is justified, management of the service organization will need to engage an independent auditor (service auditor) who will assist them in completing a number of key tasks. These include, among others:

• Defining the scope of the service auditor’s engagement.

• Determining the type of engagement to be performed (a type 1 engagement is as-of a point in time and a type 2 engagement covers a period of time).

• Determining the period to be covered by the report (there is a 6 month minimum and 12 months is common) or, in the case of a type 1 report, the specified “as-of” date of the report.

• Selecting the criteria to be used for preparing the description of the service organization’s system.

• Preparing the description of the service organization’s system.

• Determining whether any subservice organizations will be included in or “carved out” of the description.

• Specifying the control objectives and related internal controls.

• Identifying the risks that threaten the achievement of the control objectives.

• Preparing management’s written assertion.

Many of the key tasks bulleted above are complex and potentially time-consuming. They are explained more fully in SOC 1 guidance.

SOC 1 Guidance

SOC 1 engagements must conform to the requirements of certain AICPA attestation standards and interpretations. Such audit guidance includes:

• SSAE 18—Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification, (AICPA, Professional Standards). SSAE 18 recodified all previous attestation standards (including SSAE 16, the prior professional standard for SOC 1 reports) and took effect on May 1, 2017.

• SOC 1 Audit Guide—AICPA Guide, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1®) (AICPA, Service Organizations Guide Task Force).

SSAE 18 generally impacts service auditors, not service organizations. A report issued under SSAE 18’s AT-C Section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, will continue to be referred to as a “SOC 1 report” and the term “SSAE 16 report” is no longer valid and should not be used going forward. Additionally, the term “SSAE 18 report” will probably be avoided by most service auditors.

Structure of the SOC 1 Report

SOC 1 reports prepared by klsCPA are aligned to SOC 1 guidance and generally contain the following sections:

Optionally, the SOC 1 report can include an additional section entitled “Other Information Provided by the Service Organization.” The information provided in this optional section is not subjected to audit procedures. When a SOC 1 report contains this optional section, Section I – Report of Independent Auditors is modified to exclude the section from the scope of audit testing.

Distribution of the SOC 1 Report

A SOC 1 report is a restricted distribution report. The report is intended for use by service organization management and user entities (your clients or customers), who may provide it to user auditors (the independent auditors of your clients or customers). The report should not be posted online nor should it be provided to others.

Please contact us if you have questions about SOC audits, HIPAA audits or related advisory services or wish to obtain a quote.