We frequently are asked by our clients and prospective clients, “What are SOC 1 reports and when they should be considered?” Our response is usually a question, “Can your service impact the financial statements of your clients?” In some cases, the prospective client has an immediate answer and describes the financially relevant process. In other cases, the prospect says, “Well, we don’t actually impact the financials of our clients…” For example, they have read access to client data, but do not have the ability to modify financial data or impact financials. They could be providing a business intelligence solution or different views of the same client data, but they cannot impact the data and in turn, cannot impact the financials of their clients.
What is a SOC 1 Audit Report & Who Can Perform One?
A SOC 1 report is an audit report that’s scope includes both business process and information technology control objectives and testing. A SOC 1 must be issued by a CPA firm that specializes in auditing IT security and business process controls. SOC 1 reports are considered attestation reports.
In a SOC 1, management asserts certain controls are in place to meet the control objectives included in the report and a CPA firm tests controls related to management’s assertion and provides an opinion on whether it agrees with management’s assertion. SOC 1s are tailored to the service organization receiving them and there is no standard set of requirements tested. This is unlike a SOC 2 where there are predefined trust services criteria (requirements) that are included in the report. A SOC 1 report will include an auditor’s opinion that is either qualified or unqualified. Please see our past blog regarding qualified reports. An unqualified SOC 1 report is also known as a “clean” report. A qualified SOC 1 report will include language in the auditor’s opinion letter that describes the qualification and one or more control objectives that are not met.
What are Control Objectives? What is a SOC 1 Report Used For?
Control objectives are the aim or purpose of controls within a SOC 1 process area. You can think of them as overarching statements for each audit process area included in the report. Control objectives should address the risks that controls in each process area are intended to mitigate. The scope of a SOC 1 report includes all the relevant control objectives covered by the report. A sample control objective might state:
Controls provide reasonable assurance that logical and physical access to programs, data, and computer resources relevant to user entities’ internal control over financial reporting is restricted to authorized and appropriate users and such users are restricted to performing authorized and appropriate actions.
In the above example, the auditor and service organization must work together to identify controls that support the control objective statement. Example controls supporting the control objective could include passwords, multi-factor authentication, role-based access enforcement, and physical security.
The objective of the auditor working with management is to identify control objectives that adequately address the risks taken on by users of the system. Control objectives are supported by controls within a given process. Each control objective must have enough controls designed and operating effectively in a Type II SOC 1 report to be able to make the control objective statement without qualification. Notice the “reasonable assurance” language that is consistent with all SOC 1 control objectives. The auditor is not tasked with providing absolute assurance that the control objectives are met. This means it’s possible for controls related to a given control objective to fail and management can still receive a clean report opinion provided enough other controls are operating to allow the reasonable assurance bar to be met.
SOC 1 reports can help financial statement auditors of user entities place reliance on processes performed by service organizations so that the auditors can rely on the process that is outsourced without performing their own audit procedures over the service organization.
What are SOC 1 Service Organizations?
“Service organization” is a term used by the AICPA to describe when companies outsource to other companies. A service organization supports the processes its clients have outsourced to them. A continued trend in business outsourcing has resulted in some financially relevant processes being outsourced.
For example, ADP provides payroll outsourcing to its clients. Rather than attempt to provide payroll services internally, a company may choose to outsource payroll to ADP. In this context, ADP is a service organization that can impact the financial statements of its clients. When a service organization can make an error (unintendedly or intendedly), and it can impact the financials of the company’s clients, the company may be requested to have a SOC 1 that covers the services provided by the service organization. SOC 1 service organizations are outsourcing providers that can materially impact the financials of their clients.
Are SOC 1 Reports Mandatory?
SOC 1 reports may be required by your clients or investors if your company provides a service that may impact your client’s internal controls over financial reporting (ICFR). Depending on the industry your company operates in and the risk associated with the service you are providing, a SOC 1 can demonstrate you have certain IT general controls as well as business process-related controls (e.g., reconciliations, transaction authorizations) to support the achievement of control objective statements.
What are User Entities?
User entities are the consumers of SOC 1 reports. User entities are typically a company that has outsourced some of its ICFR to another company called a service organization. User entities can also be investors or external auditors of companies utilizing service organizations impacting ICFR.
SAS-70, SSAE 16, & SOC 1 – Why All the Jargon?
Admittedly, the language used to describe these reports is confusing. Please see our past post on Deconstructing the SSAE 18/SOC1/SOC 2, which explains the history of what is now known as the SOC 1 report. If you would like to learn more, we also have informative blogs on SOC Audits and What is SOC 2.
What is the Difference Between a Type I & a Type II SOC 1 Report?
To complicate matters further, there is also the concept of a Type I or Type II SOC 1 report. The gist of it is that a Type I report is for a particular date or point in time. A Type II report covers a period (usually 12 months) in the past. A Type I includes an auditor’s test of controls’ design to meet the SOC 1 control objectives. A Type II includes tests of controls’ design and operating effectiveness. Type II SOC 1 reports provide greater assurance than Type I reports, but occasionally a first-time SOC 1 will be a Type I report as it essentially draws a line in the sand with regard to relevant controls. Companies who receive a Type I report first now know which controls will be included in future reports and can prioritize the completion and evidencing of the relevant controls accordingly.
How Do We Know If We Can Impact Our Clients’ ICFR?
If your company plays a role in your client’s financial processes your service may be able to impact your clients’ ICFR. For example, payroll service providers such as ADP and Paychex provide a materially relevant service (payroll) that could impact the financials of their clients.
What Does SOC 1 Compliance Mean?
SOC 1 compliance means maintaining the SOC 1 controls included within your SOC 1 report over time. It may also be referred to as maintaining the operating effectiveness of SOC 1 controls. The SOC 1 controls are those IT general controls and business process controls necessary to demonstrate reasonable assurance with the control objectives.
How Long is a SOC 1 Report Valid? How Often is it Prepared?
Type II SOC 1 reports cover a period of time in the past. For example, January 1 – December 31, 2023. The typical Type II SOC 1 report examination period is twelve months although Type II reports may vary in length from six to eighteen months. Some firms issue Type II reports shorter than six months, but the concept of a Type II report is to cover the operating effectiveness of the controls over time. If the snapshot of controls performance (exam period length) is too short, it is more like a Type I report than a Type II report.
How Much Does a SOC 1 Audit Report Cost?
SOC 1 examination fees vary depending on a number of factors. Please see cost factors below that audit firms use to calculate fees:
- Size of company and number of individuals with in-scope system access
- Complexity of IT and business process control environment
- Risk associated with services provided and data stored
- Use of cloud infrastructures such as AWS, Azure, or GCP
- Number of business process control objectives
- Location of offices and data centers in scope within the report
- Type I vs Type II report
Who Needs a SOC 1 Report?
There are numerous service organizations that may receive SOC 1 reports. The common theme between the service organizations should be the potential impact on user entities’ ICFR. Some examples of organizations that may receive SOC 1 reports include:
- Payroll processors
- Medical claims processors
- Loan servicing companies
- Datacenter companies
- Software-as-a-Service (SaaS) companies that may impact the financials of their user entities.
SOC 1 Report Summary
Your company may be required to get a SOC 1 report by your clients or stakeholders. SOC 1 reports cover the business process control objectives and IT general controls that address the risks of your users related to the use of your service. SOC 1 reports are the correct report if your company provides a service that is relevant to or could impact the financials of your clients. A SOC 1 report can be a Type I as of a particular date or a Type II covering a period of time in the past. SOC 1 reports can not include any statements on the future performance of controls.
If your company needs to go through a SOC 1 examination, choose your auditor carefully. Some audit firms dabble in performing SOC 1 examinations and also provide tax and bookkeeping services. Linford and Company specializes in performing SOC 1 examinations for small to large-sized businesses. Please feel free to contact me with any SOC 1-related questions.
This article was originally published on 11/22/2017 and was updated on 4/12/2023.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.