This article was originally published on 11/22/2017, and was updated on 12/29/2020.
We frequently are asked by our clients and prospective clients, “What are SOC 1 reports and when they should be considered?” Our response is usually a question, “How does your service impact the financials of your clients?” In some cases, the prospective client has an immediate answer and describes the financially relevant process. In other cases, the prospect says, “Well, we don’t actually impact the financials of our clients…” For example, they have read access to client data, but do not have the ability to modify data or impact financials. They could be providing a business intelligence solution or different views of the same client data, but they cannot impact the data and in turn, cannot impact the financials of their clients.
What is a SOC 1 Audit Report and Who Can Perform One?
A SOC 1 report is completed by a CPA firm that specializes in auditing IT and business process controls. SOC 1 reports are considered attestation reports. Please see our past blog on attestation reports.
In an attestation report, management asserts certain controls are in place to meet the objective of the report and a CPA firm provides an opinion on whether it agrees with management’s assertion. In a SOC 1 attestation report, management asserts that controls are in place and operating (Type II) to meet the relevant SOC 1 control objectives and the CPA firm’s opinion is either unqualified or qualified. Please see our past blog regarding qualified reports.
What are Control Objectives? What is a SOC 1 Report Used For?
Control objectives are the aim or purpose of controls within a SOC 1 process area. You can think of them as the category of the relevant audit process area. Control objectives should address the risks that controls are intended to mitigate. The scope of a SOC 1 report includes all the relevant control objectives (domains) covered by the report. Example control objective:
Controls provide reasonable assurance that logical and physical access to programs, data, and computer resources relevant to user entities’ internal control over financial reporting is restricted to authorized and appropriate users and such users are restricted to performing authorized and appropriate actions.
The objective of the auditor working with management is to identify control objectives that adequately address the risks taken on by users of the system. Control objectives are supported by controls within a given process. Each control objective must have enough controls designed and operating effectively (Type II report only) to be able to make the control objective statement. Notice the “reasonable assurance” language that is consistent with all SOC 1 control objectives. The auditor is not tasked with providing absolute assurance that the control objectives are met. This means it’s possible for controls in each area to fail and management can still have a clean report opinion provided enough other controls are operating to allow the reasonable assurance bar to be met. Please see our past blog which discusses the concept of “reasonable assurance.”
What are SOC 1 Service Organizations?
“Service organization” is a term used by the AICPA to describe when companies outsource to other companies. A service organization supports the processes their clients have outsourced to them. A continued trend in business outsourcing has resulted in some financially relevant processes being outsourced.
For example, ADP provides payroll outsourcing to its clients. Rather than attempt to provide payroll services internally, a company may choose to focus on their unique product offering and outsource payroll to ADP. When a service organization can make an error (unintendedly or intendedly), and it can impact the financials of the company’s clients, the company may be requested to have a SOC 1 that covers the services provided by the service organization. SOC 1 service organizations are the outsourcing providers that can materially impact the financials of their clients.
Are SOC 1 Reports Mandatory?
SOC 1 reports may be required by your clients or investors if your company provides a service that may impact your client’s internal controls over financial reporting (ICFR). Depending on the industry your company operates in and the risk associated with the service you are providing, a SOC 1 can demonstrate you have certain IT general controls as well as business process-related controls (e.g., reconciliations, transaction authorizations) to support the achievement of control objective statements.
SAS-70, SSAE 16, and SOC 1 – Why All the Jargon?
Admittedly, the language used to describe these reports is confusing. Please see our past post on Deconstructing the SSAE 18/SOC1/SOC 2, which explains the history of what is now known as the SOC 1 report. If you would like to learn more, we also have informative blogs on SOC Audits and What is SOC 2.
To complicate matters further, there is also the concept of a Type I or Type II SOC 1 report.
The gist of it is a Type I report is as of a particular date or point-in-time. A Type II report covers a period (usually 12 months) historically. A Type I includes an auditor’s test of controls’ design to meet the SOC 1 control objectives. A Type II includes tests of controls’ design and operating effectiveness. Type IIs are stronger SOC 1 reports, but occasionally a first time SOC 1 will be a Type I report as it essentially draws a line in the sand with regard to relevant controls. Companies who receive a Type I report first now know which controls will be included in future reports and can prioritize the completion and evidencing of the relevant controls accordingly.
How Do We Know If We Can Impact Our Clients’ ICFR?
If your company plays a role in your clients’ financial material processes your service may be able to impact your clients’ ICFR. For example, payroll service providers such as ADP and Paychex provide a materially relevant service (payroll) that could impact the financials of their clients.
What Does SOC 1 Compliance Mean?
SOC 1 compliance means maintaining the SOC 1 controls included within your SOC 1 report over time. It may also be referred to as maintaining the operating effectiveness of SOC 1 controls. The SOC 1 controls are those IT general controls and business process controls necessary to demonstrate reasonable assurance with the control objectives.
How Long is a SOC 1 Report Valid?
Type II SOC 1 reports cover a period of time in the past. For example, January 1 – December 31, 2020. The typical Type II SOC 1 report examination period is twelve months although Type II reports may vary in length from six to eighteen months. Some firms issue Type II reports shorter than six months, but the concept of a Type II report is to cover the operating effectiveness of the controls over time. If the snapshot of controls performance (exam period length) is too short, it defeats the purpose of obtaining a Type II report.
How Much Does a SOC 1 Audit Report Cost?
SOC 1 examination fees vary depending on a number of factors. Please see cost factors below that audit firms use to calculate fees:
- Size of company and number of individuals with in-scope system’s access
- Complexity of IT and business process control environment
- Risk associated with services provided and data stored
- Use of cloud infrastructures such as AWS, Azure, or GCP
- Number of business process control objectives
- Location of offices and data centers in scope within the report
- Type I vs Type II report
Who Needs a SOC 1 Report? Is it Required?
There are numerous service organizations that may receive SOC 1 reports. The common theme between the service organizations should be the potential impact on user entities’ ICFR. Some examples of organizations who may receive SOC 1 reports include:
- Payroll processors
- Medical claims processors
- Loan servicing companies
- Datacenter companies
- Software-as-a-Service (SaaS) companies that may impact the financials of their user entities.
SOC 1 Report Summary
Your company may be required to get a SOC 1 report by your clients or stakeholders. SOC 1 reports cover the business process control objectives and IT general controls that address the risks of your users related to the use of your service. SOC 1 reports are the correct report if your company provides a service that is relevant to or could impact the financials of your clients. A SOC 1 report can be a Type I as of a particular date or a Type II covering a period of time in the past. SOC 1 reports can not include any statements on the future performance of controls.
If your company needs to go through a SOC 1 examination, choose your auditor carefully. Some audit firms dabble in performing SOC 1 examinations and also provide tax and bookkeeping services. Linford and Company specializes in performing SOC 1 examinations for small to large-sized businesses. Please feel free to contact me with any SOC 1 related questions.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.