What is a SOC 1 Report? Expert Advice You Need to Know

What is a SOC 1 report?

This article was originally published on 11/22/2017, and was updated on 12/29/2020.

We frequently are asked by our clients and prospective clients, “What are SOC 1 reports and when they should be considered?” Our response is usually a question, “How does your service impact the financials of your clients?” In some cases, the prospective client has an immediate answer and describes the financially relevant process. In other cases, the prospect says, “Well, we don’t actually impact the financials of our clients…” For example, they have read access to client data, but do not have the ability to modify data or impact financials. They could be providing a business intelligence solution or different views of the same client data, but they cannot impact the data and in turn, cannot impact the financials of their clients.

What is a SOC 1 Audit Report and Who Can Perform One?

A SOC 1 report is completed by a CPA firm that specializes in auditing IT and business process controls. SOC 1 reports are considered attestation reports. Please see our past blog on attestation reports.

In an attestation report, management asserts certain controls are in place to meet the objective of the report and a CPA firm provides an opinion on whether it agrees with management’s assertion. In a SOC 1 attestation report, management asserts that controls are in place and operating (Type II) to meet the relevant SOC 1 control objectives and the CPA firm’s opinion is either unqualified or qualified. Please see our past blog regarding qualified reports.

 

SOC 1 Control Objectives

What are Control Objectives? What is a SOC 1 Report Used For?

Control objectives are the aim or purpose of controls within a SOC 1 process area.  You can think of them as the category of the relevant audit process area. Control objectives should address the risks that controls are intended to mitigate. The scope of a SOC 1 report includes all the relevant control objectives (domains) covered by the report. Example control objective:

Controls provide reasonable assurance that logical and physical access to programs, data, and computer resources relevant to user entities’ internal control over financial reporting is restricted to authorized and appropriate users and such users are restricted to performing authorized and appropriate actions.

The objective of the auditor working with management is to identify control objectives that adequately address the risks taken on by users of the system. Control objectives are supported by controls within a given process. Each control objective must have enough controls designed and operating effectively (Type II report only) to be able to make the control objective statement. Notice the “reasonable assurance” language that is consistent with all SOC 1 control objectives. The auditor is not tasked with providing absolute assurance that the control objectives are met. This means it’s possible for controls in each area to fail and management can still have a clean report opinion provided enough other controls are operating to allow the reasonable assurance bar to be met. Please see our past blog which discusses the concept of “reasonable assurance.”

What are SOC 1 Service Organizations?

“Service organization” is a term used by the AICPA to describe when companies outsource to other companies. A service organization supports the processes their clients have outsourced to them. A continued trend in business outsourcing has resulted in some financially relevant processes being outsourced.

For example, ADP provides payroll outsourcing to its clients. Rather than attempt to provide payroll services internally, a company may choose to focus on their unique product offering and outsource payroll to ADP. When a service organization can make an error (unintendedly or intendedly), and it can impact the financials of the company’s clients, the company may be requested to have a SOC 1 that covers the services provided by the service organization. SOC 1 service organizations are the outsourcing providers that can materially impact the financials of their clients.

 

Is SOC 1 mandatory?

Are SOC 1 Reports Mandatory?

SOC 1 reports may be required by your clients or investors if your company provides a service that may impact your client’s internal controls over financial reporting (ICFR). Depending on the industry your company operates in and the risk associated with the service you are providing, a SOC 1 can demonstrate you have certain IT general controls as well as business process-related controls (e.g., reconciliations, transaction authorizations) to support the achievement of control objective statements.

SAS-70, SSAE 16, and SOC 1 – Why All the Jargon?

Admittedly, the language used to describe these reports is confusing. Please see our past post on Deconstructing the SSAE 18/SOC1/SOC 2, which explains the history of what is now known as the SOC 1 report. If you would like to learn more, we also have  informative blogs on SOC Audits and What is SOC 2.

To complicate matters further, there is also the concept of a Type I or Type II SOC 1 report.

The gist of it is a Type I report is as of a particular date or point-in-time. A Type II report covers a period (usually 12 months) historically. A Type I includes an auditor’s test of controls’ design to meet the SOC 1 control objectives. A Type II includes tests of controls’ design and operating effectiveness. Type IIs are stronger SOC 1 reports, but occasionally a first time SOC 1 will be a Type I report as it essentially draws a line in the sand with regard to relevant controls. Companies who receive a Type I report first now know which controls will be included in future reports and can prioritize the completion and evidencing of the relevant controls accordingly.

SOC Audit: Type 1 vs Type 2

How Do We Know If We Can Impact Our Clients’ ICFR?

If your company plays a role in your clients’ financial material processes your service may be able to impact your clients’ ICFR. For example, payroll service providers such as ADP and Paychex provide a materially relevant service (payroll) that could impact the financials of their clients.

 

What is SOC 1 Compliance?

What Does SOC 1 Compliance Mean?

SOC 1 compliance means maintaining the SOC 1 controls included within your SOC 1 report over time. It may also be referred to as maintaining the operating effectiveness of SOC 1 controls. The SOC 1 controls are those IT general controls and business process controls necessary to demonstrate reasonable assurance with the control objectives.

How Long is a SOC 1 Report Valid?

Type II SOC 1 reports cover a period of time in the past. For example, January 1 – December 31, 2020. The typical Type II SOC 1 report examination period is twelve months although Type II reports may vary in length from six to eighteen months. Some firms issue Type II reports shorter than six months, but the concept of a Type II report is to cover the operating effectiveness of the controls over time. If the snapshot of controls performance (exam period length) is too short, it defeats the purpose of obtaining a Type II report.

How Much Does a SOC 1 Audit Report Cost?

SOC 1 examination fees vary depending on a number of factors. Please see cost factors below that audit firms use to calculate fees:

SOC 1 Report Cost Factors Infographic

  • Size of company and number of individuals with in-scope system’s access
  • Complexity of IT and business process control environment
  • Risk associated with services provided and data stored
  • Use of cloud infrastructures such as AWS, Azure, or GCP
  • Number of business process control objectives
  • Location of offices and data centers in scope within the report
  • Type I vs Type II report

Who needs a SOC 1 report?

Who Needs a SOC 1 Report? Is it Required?

There are numerous service organizations that may receive SOC 1 reports. The common theme between the service organizations should be the potential impact on user entities’ ICFR. Some examples of organizations who may receive SOC 1 reports include:

  • Payroll processors
  • Medical claims processors
  • Loan servicing companies
  • Data center companies
  • Software-as-a-Service (SaaS) companies that may impact the financials of their user entities.

SOC 1 Report Summary

Your company may be required to get a SOC 1 report by your clients or stakeholders. SOC 1 reports cover the business process control objectives and IT general controls that address the risks of your users related to the use of your service.  SOC 1s are the correct report if your company provides a service that is relevant to or could impact the financials of your clients. A SOC 1 report can be a Type I as of a particular date or a Type II covering a period of time in the past. SOC 1 reports can not include any statements on the future performance of controls.

If your company needs to go through a SOC 1 examination, choose your auditor carefully. Some audit firms dabble in performing SOC 1 examinations and also provide tax and bookkeeping services. Linford and Company specializes in performing SOC 1 examinations for small to large-sized businesses. Please feel free to contact me with any SOC 1 related questions.

17 thoughts on “What is a SOC 1 Report? Expert Advice You Need to Know

  1. A crystal clear explanation of SOC 1. Would love to see the same article for SOC 2. Would you please write one if there is not one yet?

    Thank you much.

  2. Its a common misconception that users are entitled to Full SOC Reports. If you do not want the security of your company compromised the SOC Reports don’t give it out. The SOC should be given only to other SOC rated companies with a strict NDA demanding that the SOC be reviewed only by the person signing the NDA, never put on a network, and then destroyed. Better yet, the user should rely on the SOC Summary or SOC 3 which do not contain company security protocols.

  3. If an entity has already obtained SOC2 Report and one of its clients asks for a SOC1 Report, whether the entity can show SOC2 Report to the client or it has to obtain SOC1 Report separately?

  4. Try showing them your SOC 2 report. If they object and still want a SOC 1 report, it may prove useful to ask them what risks to the services you are providing them are not covered in the SOC 1 report. This is one way to tell if they really know what to look for within a SOC 1 report. Hope this helps.

  5. Great SOC1 overview.

    In this connected environment is a SOC1 requirement to have a remote site other than your DRS site?

    Most workers will return home in a disaster not risk crossing a bridge to get to an alternative site. BCP go home while IT recovers?

  6. Having a remote disaster recovery site is not a SOC 1 requirement. However, having such a site could be a requirement of your service agreement with your clients (ie, user organizations) or an important part of the service you as a service provider are performing for your clients.

  7. I disagree with the comment about having only the single reviewer signing an NDA to review a SOC report. We have a global company and our business unit managers often source SaaS and PaaS – and we require service orgs to have SOC reports as part of our procurement review process. However, the business unit manager, not the IT Security and Compliance manager, will sign the final contract. Most business unit managers do not know what good IT security and compliance controls are – it’s not their field of expertise – but it is mine as an IT sec/comp lead in our company. Our company always signs Mutual NDAs before we even start an RFP, so it would be pointless to sign another NDA just to review the SOC report. We not only require SOCs of the main service org but of their subservice providers as well – difficult to demand NDAs of everyone down the chain.

  8. Thank you for the informative article. My issue is that we are the auditors for the Health Fund of a small Union (about 30 companies with 100 employees) with total health insurance claims of about $1.3 million. At the beginning of 2017, they switched their eye and dental coverage to Guardian, with a cost of about $70,000 in 2017. I requested a SOC-1 report from Guardian but they replied that they were not required to perform an SSAE 18 review “due to the fact that the insurance industry is highly regulated by state departments of insurance, who closely monitor the solvency and market conduct practices of insurance companies.”

    All well and good, but does that mean that my firm is now “on the hook” to perform an audit of Guardian’s controls? What options do we have? Thanks!

  9. The audit considerations that you take with Guardian is dependent your financial statement audit approach and whether you are performing an integrated audit or not. If your financial statement audit approach dictates that you are required to place reliance on Guardian’s internal control environment, then you have a couple options: 1) They provide you with a SOC report that covers the services you are placing reliance on and a reporting period that has sufficient coverage or 2) you go out to Guardian to perform an audit of their controls as you noted. In any case, talk to the engagement partner to develop the course of action to take during the audit planning meeting.

  10. Who will audit SOC report, i mean any certified person or IT auditor and what is the process. Please let me know.

  11. Hi RK, a SOC examination must be performed by a licensed CPA firm. You should also ensure that your SOC auditors have IT audit experience and the requisite technical knowledge to perform the examination.

  12. Hi RK, an external auditor must perform a SOC examination and the external auditor must be a part of a public accounting (CPA) firm. Internal auditors may not issue SOC reports.

Leave a Reply

Your email address will not be published. Required fields are marked *