At Linford and Company, we hear this question all the time, “what is a SOC 1 report?” For decades there has been a trend in outsourcing certain aspects of running organizations to other organizations. The value proposition for an organization is simple, organizations can focus on what they do best and leave some of the other details required to run their organization up to other organizations (in CPA jargon these are called service organizations). A SOC 1 (f. SSAE 16) Report (Service Organization Controls Report) is a report on controls at a service organization which are relevant to user entities’ internal control over financial reporting.
Who Needs a SOC 1 Report? Example: Service Organization (Payroll Processing)
An example of a service organization that may need a SOC 1 report is a company that provides payroll processing services to user entities. User entities that use the payroll processing company realize the material impact of payroll on their financial statements and request some independent assurance that their payroll is being handled in accordance with their expectations. A SOC 1 report provides user entities of the payroll processing company reasonable assurance that the internal controls of the payroll processing company are suitably designed (Type I report) or suitably designed and operating effectively (Type II report) to provide the payroll services.
Who is Required to Have a SOC 1 Report
There are numerous service organizations that may receive SOC 1 reports. The common theme between the service organizations should be the potential impact on user entities’ internal controls over financial reporting (ICFR). Some examples of organizations who may receive SOC 1 reports include:
- Payroll processors
- Medical claims processors
- Loan servicing companies
- Data center companies
- Software-as-a-Service (SaaS) companies that may impact the financials of their user entities.
Type 1 or Type 2 Report
SOC 1 reports can be Type 1 (aka Type I) or Type 2 (aka Type II) reports.
Type 1 reports are as of a particular date (sometimes referred to as point-in-time reports) that include a description of a service organization’s system as well as tests to help determine whether a service organization’s controls are designed appropriately. Type 1 reports test the design of a service organization’s controls, but not the operating effectiveness.
Type 2 reports cover a period of time (usually 12 months), include a description of the service organization’s system, and test the design and operating effectiveness of key internal controls over a period of time.
SOC 1 Timeline – SAS 70 → SSAE 16 → SSAE 18
Between 1993 and 2011, the SOC 1 report was known as a SAS 70 report. Then in June 2011, the name was changed by the American Institute of CPAs (AICPA) Auditing Standards Board (ASB) when they issued the Statement on Standards for Attestation Engagements (SSAE) No. 16 which provides guidance for CPA firms to report on controls at service organizations. The intent of the SSAE 16 or SOC 1 report is the same as when it was SAS 70; to provide user organizations reasonable assurance that controls at their service organizations, relevant to their internal controls over financial reporting (ICFR) are suitably designed and operating effectively.
In 2017, the AICPA issued SSAE 18 which recodifies all previous attestation standards (including SSAE 16). SSAE 18 took effect on May 1, 2017.
Restricted Use Reports
Because SOC 1 reports may contain sensitive information about service organizations, they are considered restricted use reports and should only be shared with management of the service organization (the company who has the SOC 1 performed), user entities of the service organization (the service organization’s clients) and the user entities’ financial auditors (user auditors). The report can assist the user entities’ financial auditors with laws and regulations like the Sarbanes–Oxley Act.
When is a SOC 1 Report Required?
Most of the time your clients will let you know when a SOC 1 or other SOC report is required. Let’s be honest, no one likes to go through an audit. Also, the fees for SOC audits are not insignificant, so ensuring your clients/user entities need the report is a good way to know whether a SOC 1 is the right report for your company. SOC 1 reports can also be a good way to differentiate the services provided to your clients vs. those provided by a competitor without a SOC 1 report.
The abundance of information security questionnaires sent by user entities is enough to drive many companies to obtain a SOC 1 report to answer many of the common questions. Some individuals at service organizations spend a significant portion of their time answering questionnaires with slightly different questions. A SOC 1 report may sometimes be provided in lieu of answering certain sections of the due diligence questionnaires.
SOC 1 Report Structure
The Opinion Letter (SOC 1 Qualified Opinion vs. Unqualified)
The first section contains the opinion letter (aka Independent Auditor’s Report). The opinion letter outlines the scope of the report (services included), test period (Type 2), or report as-of-date (Type 1) and type of opinion being issued. See recent blog post on qualified report opinions.
The second section contains an assertion written by management of the service organization that makes a number of management statements including the following: 1) An assertion that the description of the system fairly presents the system, 2) The control objectives were suitably designed (Type 1) or suitably designed and operating effectively (Type 2), and 3) Discussion of the criteria used to make the assertion.
Description of the System
The description of a service organization’s system is a description of the services provided that are relevant to user entities ICFR. The description includes the supporting processes, policies, procedures, personnel, and operational activities that constitute the service organization’s services that are relevant to user entities.
Description of Tests of Controls and Results of Testing
This is the section that a SOC auditor uses to describe the controls that were tested as part of the examination, the test procedures used for testing the controls and the results of testing. When reviewing a SOC 1 report, the opinion and the results of testing sections contain the key information necessary to determine whether a service organization’s system of internal controls is suitably designed and operating effectively to provide the services.
Some SOC 1 reports include a section used by service organizations to provide additional information about relevant processes that were not tested within the report such as disaster recovery and business continuity information. The SOC auditor will not express an opinion on the statements made by management within this section.
SOC 1 vs. SOC 2 vs. SOC 3 Reports
We have prospective clients that struggle whether the should get a SOC 1, SOC 2, or SOC 3 report all of the time. We normally start by asking these prospective clients about the type of user entities asking for the report as well as the type of services they provide to their clients. This allows us to assess whether there may be an impact to the ICFR of prospective clients’ user entities. See a recent blog posts on choosing between SOC 1 vs. SOC 2 vs. SOC 3.
In this blog post we described what a SOC 1 report is, the types of service organizations that might need a SOC 1 report, differences between Type 1 and Type 2 reports, restricted use reports, when a SOC 1 report might be required, the structure of a SOC 1 report, and differences between SOC reports.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.