You have poured your blood, sweat, and tears in to your startup and it is about to pay off. You are close to finalizing a deal with a new, large customer. You have worked long and hard to connect with them and demonstrate the value of your service or system. They are excited. You are excited. With the hard part out of the way, you are working with them to go through the legalese and sign an agreement. As you read through the terms and conditions of the contract, you notice a small clause that requires you to provide a SOC 1 or an SSAE 18 report. A flood of questions fills your mind.
Does this sound familiar? If it does, don’t worry. There is help out there. Some firms will provide you with a standard, one-size-fits-all SOC 1 compliance checklist that reviews what you need to do meet the requirements for a SOC 1 report. However, there is no such list. What will serve you best is a better understanding and list of questions to ask about SOC 1 reports.
This article will cover some of the critical questions that you have and will need to answer to determine how to proceed. These questions include:
What is a SOC 1 audit?
- What type of SOC 1 report do you need?
- What should be included in the scope of your SOC 1 audit?
- Are we ready for a SOC 1 audit?
- How much does it cost?
What is a SOC 1 Audit?
These audits have gone by a few different names over the years: SAS 70, SSAE 16, SSAE 18, and now SOC 1. A SOC 1 audit is short for a System and Organization Controls (SOC) 1 audit.
SOC audits are examinations for service organizations. SOC 1 audits focus on the processes and controls that a service organization performs that are likely to be relevant to a user entities’ own internal control over financial reporting (ICFR).
If your organization does not provide a service that would impact your users’ financial reporting, it probably doesn’t make sense to get a SOC 1 examination. However, be careful in ruling that out. If you help process, store, or transmit transactions or financial data for your clients, you may be considered a material to a client’s ICFR. For example, a data center or hosting provider may not process transactions for a client; however, they would have a key part of internal control if the financial data is stored in their facility.
Don’t get confused, but there are different kinds of SOC audits. A SOC 2 is another kind of audit for service organizations. SOC 2 audits focus on a service organization’s controls that address the Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy.
Unlike a like a SOC 2, SOC 1 examinations do not use a set of criteria to assess each service organization. The scope of a SOC 1 audit is tailored to services provided and how they may impact user entities’ internal control over financial reporting. We will talk more about this a little later.
You can learn more about SOC 1 reports in our article, What is a SOC 1 Report? Expert Advice You Need to Know.
What Type of SOC 1 Report Do You Need?
Assuming that your organization does impact or support your users’ internal control over financial reporting, the next question to ask is, “What type of SOC 1 report do you need?”
In order to choose what type of SOC 1 report you need, you must know what your options are. There are only two types—Type I (one) and Type II (two). Really original, I know. So, your options are a Type I SOC 1 or Type II SOC 1 report. The difference between the two types is a matter of time.
A Type I SOC 1 report is written as of a point-in-time or a specific date—say as of December 31, 2018. Because it is as of a specific date, a Type I SOC 1 report can only attest to effectiveness of the design of controls on that date. Having an effective design essentially means that an organization has the right controls in place to achieve the specified control objectives if the controls were operating effectively. A Type I SOC 1 audit does not examine whether the controls were operating effectively over a period of time.
A Type II SOC 1 report covers a period of time—from January 1, 2018 to December 31, 2018. Type II SOC 1 reports are used to assess the effectiveness of the design and operation of controls over the period of time. The period covered is typically one year; however, it may be as short as 6 months or as long as 18 months. This is typically the report that a user organization will want as they will be using the SOC 1 report as support for the portion of ICFR that your organization performs for them as it pertains to their financial audit.
So, if a Type II is considered a better report than a Type I, why would anyone ever get a Type I report? The answer is quite simple—you get a Type I report when you do not have time to wait for a period needed for a Type II audit. We have found that organizations require a SOC report in order for a deal to closed can be flexible. Often they may accept a first-year Type I report with the expectation that you will provide a Type II every year thereafter. Or they will allow an organization 6-12 months to get a Type II SOC 1.
Another key item to consider in regards to what type of SOC 1 audit is timing. If you are getting a Type II SOC 1 report, you will want to make sure that the period is covering the time that is beneficial to your client. We try to help service organizations line the period of their report with their clients’ fiscal year. Type II SOC 1 report will need to cover at least six months of a client’s fiscal year for the report to be of value to its auditor.
You can learn more about the details of Type I and Type II reports by reviewing our article on SOC Report Types.
What Should Be Included in the Scope of Your SOC 1 Audit?
The scope of a SOC 1 audit is based upon control objectives that you, as an organization, determine that are likely to be relevant to a user ICFR. There is not set of control objectives that must be included in a SOC 1 audit—it will vary based upon the services performed.
You are likely not an expert at identifying or drafting control objectives—unless you were an auditor in a former life. That’s okay. Your auditor can help you identify and draft your control objectives. We also encourage our clients to review the control objectives with their customers and/or their auditors to make sure that the control objectives align with their expectations/needs.
Once you have identified the control objectives that are in scope, you can determine the processes and controls that your organization perform to meet those objectives. You now have your scope.
Are We Ready For a SOC 1 Audit?
If this will be your first time receiving a SOC 1 audit, chances are you are not quite ready. But how can you determine how much of a gap you have?
The best way to determine where you stand in regards to being able to successfully complete a SOC 1 audit is to have a readiness assessment performed by your auditor. A readiness assessment is essentially a pre-test Type I SOC 1 audit to determine whether or not you have all of the controls in place to meet your specified control objectives. A good readiness assessment will result in your auditor providing you with a management letter that specifies any gaps that you may have a long with their recommendations of how best to remedy those potential issues.
You can theoretically do your own readiness assessment. However, you run the risk that your auditor may have a different interpretation of what a control objective means or what is needed to meet it. If you decide to do your own pre-assessment, be sure to work closely with your auditor to make sure that you are on the same page. It is painful and frustrating to identify control gaps at the end of the period rather than beforehand.
Please read our article, Readiness Assessments – Preparing for your SOC Audit, for more information.
How Much Does SOC 1 Audit Cost?
As you probably know, you cannot perform your own SOC 1 audit on your organization. You will need to have a licensed CPA firm like Linford & Company do it. There are many factors to consider when selecting an auditor. But before you even start that process, you will want to know how much is a SOC 1 going to cost. This is the most common question we get asked. Unfortunately, there is no simple or standard answer. Pricing for SOC audits can fluctuate a great deal between firms.
Even within the same firm the price of SOC 1 audit will vary based upon the estimated amount effort needed to perform the audit. There are a lot of factors that go into determining the level of effort for a SOC 1 audit, including the scope of the audit, the number of control objectives being covered, the number of locations, and the size of the organization. If this will be your SOC 1 audit you will also want to ensure that any expenses related to a readiness assessment are included.
For a more details see our article, How Much Does a SOC Audit Cost?
While there is no SOC 1 report checklist, hopefully you have found this article helpful in addressing some of the important considerations and questions facing you as you embark on your SOC 1 audit.
Linford & Company is a CPA firm that specializes in SOC audits. We realize that you and your organization are unique and imagine that you have more questions. Please contact us and we would be happy to schedule a time to visit with you to address any questions that you may have.
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.