A SOC 1 audit is an engagement at a service organization related to internal control over financial reporting (ICFR). SOC 1 audit standard were developed by the AICPA and follow the Statement on Standards for Attestation Engagements No. 18 (SSAE 18).

Pricing for a SOC 1 audit depends on scoping factors, including the degree to which your services impact your client’s financial reporting, your business applications interacting with financial data, technology platforms and personnel impacting the security of client data, physical locations, third parties, and audit frequency. Pricing will also vary based on the report type you choose, inclusion of a gap analysis, or inclusion of additional remediation support.

The average SOC 1 audit can take anywhere from weeks to months, depending on your level of preparedness and staff’s availability for interviews and control demonstration. To satisfy the AICPA requirements for an engagement, the auditor must validate scope, perform testing procedures, and document conclusions. These steps require time from the service organization’s management, which can be compressed or extended to meet your timeline needs. You can save time by leveraging the Online Audit Manager to maintain the audit evidence you need for compliance.

A SOC 1 audit culminates in a SOC 1 report. The components and formatting of SOC 1 reports delivered by KirkpatrickPrice are based on guidelines provided by the AICPA and written by our in-house Professional Writing team. SOC 1 reports provide an independent opinion, a description of your services and controls, and in the case of a SOC 1 Type II report, details on the testing performed to determine operating effectiveness.

SOC 1 reports represent your controls from a period of time in the past. Typically, your clients will not accept a report issued more than 12 months ago because they want your testing to be relevant for their own audit period.

A SOC 1 Type I audit may be performed initially but then replaced with a subsequent SOC 1 Type II audit. Because the Type II report covers a period of time in the past, it is recommended that you perform a new engagement that picks up at the date of your last period. Maintaining an audit process that covers each fiscal year will demonstrate a commitment to compliance and ongoing testing of controls, which ultimately contributes to the health of your organization.

In every SOC 1 engagement, the Auditor is required by the AICPA to maintain communication with management and those charged with governance from the service organization. Other team members involved in the audit could come from anywhere in your organization, ranging range from human resources to development to compliance officers – anyone with the appropriate responsibilities for and knowledge of the matters concerned in the audit.

.

Organizations that perform services that could affect their clients’ financial statements need a SOC 1 audit. However, SOC 1 audits are not a review of a service organization’s financial statements but rather a review of internal controls over financial reporting. 

While SOC 1 reports are not required by law, some organizations will not do business with companies who have not completed a SOC 1 audit. Even if an organization does not require SOC 1 compliance, going through a SOC 1 audit will differentiate one service provider that cares about sensitive client information and one that does not.

When you receive a SOC 1 audit, you’ll receive an opinion that speaks to the operating effectiveness and design of your organization’s security program. In your audit report each control objective will outline if there were any exceptions found during testing. An exception represents the area of a control or practice that is not operating according to an organization’s own policies or industry standards and frameworks. Exceptions allow organizations to double check themselves against the controls required of them and to implement improvements to their overall security and compliance program.