Understanding Your SOC 1 Report: What is a SOC 1 Report?

by Joseph Kirkpatrick / February 22, 2023

What is a SOC 1 Report? Has a prospect recently asked if your organization has a SOC 1 report? Has a top client requested that you begin completing annual SOC 1 audits? Meanwhile, you're just wondering, what is a SOC 1 report? Does your service organization affect user organization’s financial reporting? A SOC 1 would apply to you. SOC 1 engagements are based on the SSAE 18 standard developed by…

Understanding Your SOC 1 Report: How Does Sampling Work?

by Joseph Kirkpatrick / December 20, 2022

Sampling During a SOC 1 Audit When an auditor performs a test of control during a SOC 1 audit, it may be appropriate to apply sampling. Sampling is applying audit procedures to less than 100% of a population. The types of populations that could need to be tested include new hire training forms, employee acknowledgements of policies and procedures, antivirus reports, or access control logs. The PCAOB states that sampling…

Understanding Your SOC 1 Report: Auditor’s Test of Controls

by Joseph Kirkpatrick / December 20, 2022

The Auditor's Test of Controls: Review, Observe, and Interview At the end of a SOC 1 Type II report, you’ll find a section titled, “Information Provided by the Independent Service Auditor.” Within this section, you will find “Auditor’s Test of Controls,” which is a description of the controls that were tested during the audit, procedures used for testing these controls, and the results of the testing. The test of controls…

Understanding Your SOC 1 Report: Audit Risk, Control Risk, and Detection Risk

by Joseph Kirkpatrick / December 20, 2022

Driven by Risk An information security audit is largely driven by risk. We know that your clients rely upon our opinion; we don’t take that lightly. We will do everything possible to gain reasonable assurance that controls are in place and operating effectively. This is why audit risk, control risk, and detection risk are so important to us. These elements of risk overlap and work together, but they also drive…

Understanding Your SOC 1 Report: Determining your Audit Period

by Joseph Kirkpatrick / December 20, 2022

Operating Effectively Over a Period of Time When considering pursuing a SOC 1 Type II report, there’s a new element to consider: determining your audit period. It’s important to remember that a SOC 1 Type I and a SOC 1 Type II both report on the controls and processes at a service organization that may impact their user entities’ internal control over financial reporting. However, unlike a Type I report,…