This article was written by Courtney Caryl & Allison Stowers.
A SOC 1 report, also known as the Statement on Standards for Attestation Engagements (SSAE) 21, focuses on a service organization’s controls that are likely to be relevant to an examination of a user entity’s (customer’s) financial statements. SOC 1 reports cover a service organization’s business process control objectives and IT general controls that are relevant to the service(s) provided. There are two types of SOC 1 reports – a Type 1 examination and a Type 2 examination. The SOC 1 Type 1 report focuses on a description of a service organization’s control and the suitability of how those controls are designed to achieve the control objectives as of a specified date. The SOC 1 Type 2 report focuses on a description of a service organization’s control and the suitability of the design and operating effectiveness of controls over a duration of time. A Type 2 examination would be considered as more reliable as they pertain to the effectiveness of controls over an extended period of time. Use of these reports is restricted to the management of the service organization, user entities, and user auditors.
Benefits of Obtaining a SOC 1 Report
Several service organizations are required to undergo a SOC examination, including any service organization that may touch, store, process, or impact financials of their user entities. To start, a SOC report is an independent, third-party validation of a service organization’s commitment to evidencing the design and effective operation of their controls. It lets potential and current customers know that your company is trustworthy, that you take security seriously, and that you are operating according to industry requirements. Additionally, going through the examination process can point out weaknesses and flaws before a client does.
Service organizations may use a SOC 1 report as a competitive differentiator against other organizations that have not been examined. The AICPA offers a SOC logo that service organizations can use, providing an easy opportunity for clients and prospects to recognize that the service organization has met AICPA-designated standards.
Getting Started and What to Expect with SOC Attestation
Working with a CPA firm that specializes in SOC examinations can make the process less painful and is more beneficial for your organization. Auditors can help determine what type of SOC report your organization will most benefit from and will be there from the start by helping your organization complete a SOC readiness assessment. A readiness assessment is a great first step and can help an organization prepare for the examination by identifying current controls, deficiencies, gaps, and needed remediation.