Many U.S. companies receive SOC 1 reports, which were previously referred to as SSAE 16 reviews, from certain types of vendors/service organizations. SOC 1 reports are a review of the service organization’s controls in support of the audit of a client’s financial statements. These reports are typically issued once a year in the late fall.
While most organizations do a good job of recognizing the need to request these reports from service organizations they use, often they are not properly reviewed and evaluated when received. So, what do you do with the SOC 1 report once it has been received other than give it the internal and external auditors?
Common Questions on SOC 1 (f. SSAE 16)
Before we dive into how to review a SOC 1 (f. SSAE 16) report, let’s go over some common questions users have.
Many users ask if a SSAE 16 is the same as a SOC 2 report? The answer to that is: no. A SOC 1 report was previously referred to as a SSAE 16 review and there are distinct differences between a SOC 1 and a SOC 2. A SOC 1 (f. SSAE 16), as mentioned above, is a review of controls in support of a client’s financial statements. The control objectives included in a SOC 1 report are most likely related to Information Technology and Business Processes.
So what is a SOC 2 report? A SOC 2 report focuses on non-financial controls, specifically on the Trust Services Criteria. These criteria relate to security, availability, confidentiality, processing integrity, and privacy of the service organization’s system. Please refer to our service page for further details regarding a SOC 2 audit.
Critical Areas for Review
The following are suggestions for reviewing SOC 1 reports (f. SSAE 16):
Report Topic: Many service organizations issue multiple SOC 1 reports for the various products they offer. Review the title and system description to determine whether the report is in support of the product your organization is using.
Report Dates: More than a few service organizations try to pass off old reports as current reports. Make sure you are provided with the current report. Additionally, make sure the time period covered by the report meets your needs. Does the performed testing cover the design and operating effectiveness of the controls over a period of time (Type II) or a point in time (Type I)? If the report timing doesn’t provide you with the coverage you require, ask the service organization about it.
Service Auditor: The name of the service auditor issuing the SOC 1 report is typically located in Section I of the report. Do some research on the service auditor issuing the report and determine whether they are a reputable firm. Good resources to review are the AICPA’s website, where peer review reports can be found, and the website of the state accountancy board, such as the Colorado Department of Regulatory Agencies – DORA. If you don’t find any information on the service auditor after performing a search on these or related sites, discuss your concerns with the service organization.
Auditor Opinion: In the first section of the report, the opinion of the service auditor can be found. This opinion will outline the scope of the report and whether the report is qualified or unqualified. If the report is qualified, your organization will need to evaluate how this qualification impacts your reliance on the report. Learn more about qualified opinions.
Management’s Assertion: Management is required to include their written assertion in the report stating the report’s accuracy. In some instances SOC 1 reports are being issued without a management assertion or the content of the management assertion differs from the auditor’s opinion. If it’s missing or opinions differ, a conversation with the service organization is warranted.
Location: Service Organizations often have multiple locations, which is to be expected in the global economy. Make sure the report and audit testing covers the locations in which the vendor is performing services for your company. The locations covered can often be found in the system description of the report, if it is not obvious, ask the service organization to clarify.
Processes, People, & Systems: The processes as well as the people and systems that support the processes should be adequately described in the report. Make sure there is sufficient detail so you can understand what the service organization is doing and what they are not doing. If a key process (eg, information security) is not described in the report, ask the service organization about it.
Subservice Organizations: In some instances, a service organization relies on a subservice organization to provide a portion of their services to the user entity. If a subservice organization is being used, determine whether the carve-out method or inclusive method is being used. If the carve-out method is being used, the services provided by the subservice organization and the related controls over the services provided are not included in the scope of the SOC 1 report. If this is the case, you may need to request a SOC 1 report from the subservice organization if the services they provide are material to your evaluation of the control environment. If the inclusive method is being used, the services provided and the controls at the subservice organization level are included in the scope of the SOC 1 report. If any questions arise regarding the subservice organization, the services they provide and what is being covered in the report, clarify with the service organization.
Complementary User Entity Controls (CUECs): Complementary user entity controls (CUECs) are controls at the user entity level of the service organization. When reviewing a SOC 1 report, the organization needs to review the CUECs to determine whether they are performing the controls listed. Most SOC 1 reports have CUECs listed within them. Make sure your company considers these carefully. Learn more about complementary user entity controls.
Testing Procedures and Results: Based on whether the SOC 1 report you are reviewing is a Type I or Type II report, you will need to review the extent of testing performed and determine it is sufficient to meet your organizations needs. The controls tested, the description of the testing performed and the results of the testing can generally be found in Section IV of the report. Review any findings/issues identified, including how they were mitigated and/or remediated, and determine how they impact your organization.
In this blog post, we covered various different areas in a SOC 1 (f. SSAE 16) report that could be considered when reviewing it. There are different concerns to consider when reviewing a SOC 1 report and the lens in which you review your SOC 1 report through should reflect the coverage you need to obtain for your organization.
Often times, dialogue with the service organization is required in order to clarify any questions regarding the scope and results of the report. Reviewing the report yourself, rather than just passing it off to the internal and external auditors, is important in order to understand the services being provided, the effectiveness of the service organization’s controls and how it impacts your organization.
Linford & Company is a CPA firm that specializes in various audits, including SOC 1 and SOC 2 assessments, and other auditing services. If you have further questions on what a SOC 1 audit entails, please review our page and contact us to see how we can further assist you and your organization.
Review our other articles for more guidance on SOC 1 Reports: