Understanding SOC 1 Audits

System and Organization Controls (SOC) 1 examinations or “SOC 1 audits” are relevant for software and service companies that impact their customers’ financial statements or internal controls over financial reporting. Below is an overview of the SOC 1 audit process along with answers to commonly asked questions.

Who Needs a SOC 1 Audit?

Although SOC 1 audits are not legally required, companies that provide software or services that impact financial reporting to customers that undergo financial audits often find that a SOC 1 audit is necessary to be marketable to prospective customers. A SOC 1 report from a reputable firm builds trust and confidence with customers, serving as a market differentiator for companies seeking to appeal to a broad range of high value customers.

FinTech companies, SaaS companies that impact financial reporting, payroll processors, loan servicing organizations, claims processors, data centers, and accounting software providers are common candidates for a SOC 1 audit. Other signs that your company should consider a SOC 1 audit include: frequent requests to complete vendor security questionnaires; customer agreements that reference SOC 1, SSAE 18, or SSAE 16; difficulty navigating customer vendor management requirements; or direct customer requests.

What is a SOC 1 Report?

SOC 1 reports, also known as SSAE 18 reports and formerly known as SSAE 16 and SAS 70 reports, were created to decrease the audit burden on service providers by establishing a standardized report that can be issued to end users. The SOC 1 audit process is based on guidance from the American Institute of Certified Public Accountants (AICPA) and is tailored to your company based on industry, company size, and customer expectations.

SOC 1 audits focus on a combination of IT, business process, and financial controls and procedures. SOC 2 audits, by comparison, focus more exclusively on IT controls that address system security, integrity, availability, and confidentiality and are designed for software providers and companies that obtain sensitive customer information. Many software companies that issue a SOC 1 report also benefit from a SOC 2 report.

SOC 1 reports are specifically designed to meet the requirements of the firms that audit your customers’ financial statements based on guidance from the AICPA. The control objectives for a SOC 1 report are customized for each company based on the services provided to end customers. Control objectives include a combination of IT controls, such as logical access, change management, and backup and recovery, as well as relevant business process controls, such as reconciliations, reporting, and transaction authorization.

A Deeper Look Into SOC 1 Audits

The SOC 1 Audit Process

Since a SOC 1 report filled with control deficiencies and failures does more harm than good, the SOC 1 audit process usually starts with a SOC 1 Readiness Assessment to evaluate how prepared your company is to undergo a SOC 1 audit. The SOC 1 Readiness Assessment provides an avenue to compare your company’s current policies, procedures, and controls against expected SOC 1 control objectives and implement internal controls specifically designed to meet SOC requirements without being overly burdensome or time consuming. Assessments generally take two weeks and include discussions with relevant team members, review of internal operations, and observation of system configurations.

During the SOC 1 audit process, a member of the ML&R team thoroughly analyzes applicable IT and business control areas to determine if your organization adheres to defined control objectives. The SOC 1 audit process involves discussions with various team members, observation of relevant IT and business processes and procedures, and testing of control activities in place to support customers and the completeness and accuracy of their financial statements.

Our team members are well-versed in SOC 1 requirements and create a streamlined audit approach customized to each organization. Evidence collection and collaboration software and a simplified reporting process reduce wasted time in the process – allowing our team and yours to focus on the activities that actually matter.

The Difference Between SOC 1 Type I and SOC 1 Type II Reports

The difference between a Type 1 and Type 2 report generally comes down to the time frame and extent of testing.

SOC 1 Type 1 reports are limited to tests of design (commonly known as a ‘tests of one’) as of a specified date and are typically performed as the first SOC report. Issuing a Type 1 report first is not required but is often advisable as it allows companies to issue SOC reports to their customers or prospects faster and serves as an effective ‘trial run’ prior to completing a Type 2 audit. This report details the design of your organization’s financial processes and certain IT controls and confirms that applicable processes, procedures, and controls are implemented as of a certain date. SOC 1 Type 1 reports do not include tests of operating effectiveness, only of the design of your organization’s controls.

SOC 1 Type 2 reports assess relevant processes and controls over a set period of time, generally 6 or 12 months, rather than by a specific date. The reports include tests of operating effectiveness, including sample-based testing of relevant controls over the reporting period. Companies are expected to issue SOC 1 Type 2 reports at least annually, regardless of whether they start with a SOC 1 Type 1 report. The majority of ML&R SOC clients obtain SOC compliance through the following services:

  • SOC Readiness Assessment
  • Type 1 Report
  • Type 2 Report six or twelve months later
  • Type 2 Reports annually thereafter

The Risk Assurance & Advisory Team can help you navigate the timing and process of becoming SOC 1 certified.

How Often to Perform a SOC 1 Audit

Generally, SOC 1 Type 1 and a SOC 1 Type 2 audit reports are valid for 12 months from the report date. SOC 1 audits should be performed annually, at a minimum. Companies with many customers that request SOC 1 reports and have varied financial year-ends may benefit from issuing a SOC 1 Type 2 every six months. Companies can also issue a SOC 1 Type 2 report for a shorter time frame after the SOC 1 Type 1, such as 6 or 9 months, if a SOC 1 Type 2 report is required sooner.

Who Can Perform a SOC 1 Audit

While SOC Readiness can be performed by a range of IT consulting firms, SOC audits can only be performed by licensed audit and IT professionals at an accredited Certified Public Accountant (CPA) firm, an accreditation designated by the AICPA.

SOC reports are trusted by stakeholders, customers, and auditors because they are held to a high standard established by the AICPA and performed exclusively by individuals that are licensed, trained, and independent. As a full-service CPA firm, Maxwell Locke & Ritter is able to perform both readiness assessment and audit / examination services.