Are you being asked by a top client for a SOC 1 audit report? What is a SOC 1 report? Do you need a SOC 1 audit? Below, you’ll find answers to frequently asked questions about SOC 1 audit reports and learn how your organization can benefit from having a SOC 1 report and what you can expect from your SOC 1 audit process.

What is a SOC report?
Developed primarily for third-party service providers by the AICPA, SOC (System and Organization Controls for Service Organizations) reports are issued by CPAs and report on a service organization’s internal controls that could impact their clients‘ sensitive data. SOC reports help service organizations’ clients, or user entities, to comply with regulatory and contractual requirements. SOC reports allow user entities to obtain an objective evaluation of the effectiveness of controls that address compliance, operations, and financial reporting of a service organization.

What is a SOC 1 audit report?
SOC 1 engagements are performed in accordance with the Statement on Standards for Attestation
Engagements No. 18 (SSAE 18), formerly known as SSAE 16. SOC 1 reports are specifically designed to report on the controls at a service organization that could ultimately impact their clients‘ financial statements. A SOC 1 audit is not a review of a service organization’s financial statements, but rather a review of internal controls over financial reporting.

Do I need a SOC 1?
Many organizations are legally required to verify the suitability of internal controls at a service provider prior to engaging with the service provider. Generally speaking, publicly traded companies looking to comply with Sarbanes Oxley (SOX), financial institutions looking to comply with the Gramm-Leach-Bliley Act (GLBA), as well as state and local government, have all standardized on SOC reports to meet this requirement. If your clients outsource any of their information technology systems management activities to your organization, you may be asked for a SOC 1 report so they can gain a better understanding of the controls at your organization and how they meet specific requirements.

What are the benefits of getting a SOC 1 audit?
SOX and GLBA (among others) require service organizations to have adequate internal controls in place. By being able to produce a SOC 1 audit report to your clients or prospects, you gain a competitive advantage and client trust by demonstrating that you have the proper internal controls in place and that they have been verified by a valid third party.

Who can perform a SOC 1 audit?
A SOC 1 audit can only be performed by an independent CPA. CPAs must adhere to the specific standards that have been established by the AICPA and have the technical expertise necessary to perform SOC 1
engagements.

How are SOC 1 reports used?
Generally speaking, your SOC 1 audit report will be requested and read by your client’s auditor. SOC reports are considered an “auditor to auditor report,” allowing the auditor to avoid having to audit the service provider directly. SOC 1 reports will be used by a service organization with current and potential clients and their independent auditors. It’s important to note that while the existence of a SOC report is marketable, the SOC reports themselves are restricted from being used for general marketing purposes.

What should I expect to see in my SOC 1 report?
Depending on your specific needs, a CPA can issue either a SOC 1 Type I or a SOC 1 Type II report. In a Type I report, your independent auditor will offer an opinion of the fairness of the presentation of the description of your system, the suitability of the design of the controls, and whether the controls have been implemented as of a certain date. A Type II report is your independent auditor’s description of the operating effectiveness of the controls over a period of time (minimum of six months), your auditor’s test controls, and the results of the tests.

How does the audit process work?
KirkpatrickPrice utilizes the Online Audit Manager to ask a series of custom questions regarding your current controls, policies, and procedures to prepare you for your specific requirements. Our process will efficiently document where your organization’s security posture currently stands, provide specific guidance on identified areas of weakness, and allow you to work through as much of the audit process as possible prior to conducting the onsite portion of the audit. Our unique online approach minimizes the cost and disruption associated with extended onsite visits. Our senior-level auditors will assess, guide, monitor, test, and help mature your organization’s information security program and internal controls.

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.

Have you had a client tell your organization that it needs to have a SOC 1 audit performed? If your immediate reaction was, “What is a SOC 1?”, that’s completely normal. You’re in the right place!

Have you ever had your boss ask you “What is a SOC 1 audit?” and need a project timeline as soon as possible? You’re also in the right place! Have you seen competitors announce their compliance and wondered, “What is a SOC 1 and why is the competition pursuing one?” Don’t worry, we’ll cover that, too. Let’s answer three basic questions about SOC 1 audits:

  • What is a SOC 1?
  • Why do I need a SOC 1?
  • What are the benefits of a SOC 1?

What is a SOC 1 Compliance Audit?

A Service Organization Control 1 (SOC 1) engagement is an audit of the internal controls (policies, procedures, and technologies) which a service provider has implemented to protect client data. SOC 1 audits are performed in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18). SOC 1 reports were primarily designed to report on the controls of service organizations that are relevant to their client’s financial statements. SOC 1 audits are intended to aid service organizations in eliminating potential errors to client information and ensuring efficiency in their controls.

We most commonly perform a SOC 1 for small to medium-sized service providers who deliver managed services, application services, or any type of third-party service. Now that we’ve figured out what a SOC 1 is, the next thing to consider is: why do I need a SOC 1?

Why do I need a SOC 1?

If you’ve ever asked, “What is a SOC 1?” then you’ve probably also wondered, “Why do I need a SOC 1?” Let’s say your organization is a service provider, providing payment processing services. Why would you need a SOC 1? SOC 1 engagements are designed specifically for service providers. If you provide payment processing services to clients, your service organization may need a SOC 1 because you could potentially impact clients’ financial statements. Your service organization may need a SOC 1 report because your client or regulatory body is requesting it, or maybe because you’re being proactive with information security and compliance.

A SOC 1 report demonstrates to your clients that you take the security of sensitive data seriously. You’ve hired a third-party auditing firm to validate your controls are suitably designed and operating effectively, you’re gaining assurance, you’re maturing your environment – all things that assure your clients that their sensitive information is being handled in accordance with their expectations and with SSAE 18.

Culture of Compliance

We see many service organizations initially engage in an audit, like a SOC 1, because it’s something they are required to do by a client or regulatory body. An audit can be costly, time-consuming, and confusing – we know. So when something like a SOC 1 audit is forced on an organization, it can create a negative outlook on the entire auditing process. This attitude towards compliance makes organizations reluctant to give the audit their full effort or attention. Because a SOC 1 audit deals with something as important as internal control over financial reporting, it’s vital that the engagement receives the full attention it deserves.

We believe that the best-kept industry secret to achieving compliance success is creating a culture of compliance within your organization. Compliance isn’t a quick fix to all of your security needs; it’s a constant cycle of improvement. Audits are healthy for any organization. They help you see how you can grow and mature. After two or three years of audits, our clients come to appreciate the advantages that an audit brings.

The Benefits of a SOC 1 Audit

A SOC 1 audit can bring so many benefits to your company, especially if a culture of compliance has been created. The top six benefits of a SOC 1 include:

  • Verifying that your organization has the proper internal controls and processes in place to deliver high quality services to your clients.
  • Evaluating your policies and procedures, which are crucial to the operability of your organization.
  • Assuring clients that their sensitive data is protected, building trust between service providers and user organizations.
  • Removing the internal blinders; personnel often can’t or don’t want to see vulnerabilities that an experienced auditor does.
  • Strengthening your environment, and teaching you ways to mature your practices.
  • Giving you a competitive advantage by demonstrating your commitment to security.

View more SOC 1 compliance resources.

The SSAE 16 (now SSAE 18) is a Service Organization Control Report. Most of the service organizations that we audit are small to medium size service providers who are delivering managed services, application services, or any type of third party or outsourced service that a client has hired you to do. I’ve found that clients initially do this audit because they’re being required to do it, they’re being forced to do it, but later on in the process, they come to appreciate what an audit does for them.

An audit is very helpful to you as a small to medium size service provider because it helps you to validate what you’re doing, it helps you to see whether or not the controls that you’ve put into place are effective, and it’s a very valuable resource for an experienced auditor to review you without the blinders that sometimes we have on internally. When an external auditor comes in, they’re able to bring their experience and perspective to your environment and controls and provide you with very valuable guidance and recommendations to strengthen your environment. We’ve had clients who’ve been working with us for three or more years say, “The first year, I didn’t want to do it. It was just a task that we had to do.” But after year two and three, they start to see that an audit is very helpful and healthy for an organization to receive that validation and recommendations about how they can mature in their practices.

When it comes to SOC (System and Organization Controls) reports, there are three different SOC report types: SOC 1, SOC 2, and SOC 3. When considering which report fits your organization’s needs, you must first understand what your clients require of you and then consider the areas of internal control over financial reporting (ICFR), the Trust Services Criteria, and restricted use. Each SOC report type fulfills a different purpose, and organizations should understand which report will best meet their needs before embarking on the SOC audit process.

SOC 1 vs. SOC 2 vs. SOC 3

The System and Organization Controls were developed by the American Institute of CPAs (AICPA). In the context of SOC reports, internal controls are procedures designed to ensure compliance with policies relevant to company operations, laws and regulations, and financial reporting. Following an audit of internal controls by a licensed CPA, the auditor writes a SOC report service users can rely on to provide an accurate assessment of the auditee’s controls.

There are three different SOC report types, although, in most cases, organizations choose between a SOC 1 and SOC 2 report. Both result from an audit of internal controls, although they focus on different aspects of those controls. In a nutshell, SOC 1 focuses on internal controls relevant to a service user’s financial statements, whereas SOC 2 reports on controls relevant to various aspects of information security.

What Is a SOC 1 Report?

SOC 1 engagements are based on the SSAE 18 standard and report on the effectiveness of internal controls at a service organization that may be relevant to their client’s internal control over financial reporting (ICFR).

What Is a SOC 2 Report?

A SOC 2 audit evaluates internal controls, policies, and procedures that directly relate to the security of a system at a service organization. The SOC 2 report was designed to determine if service organizations are compliant with the following categories: security, availability, processing integrity, confidentiality, and privacy, which are also known as the Trust Services Criteria. These principles address internal controls unrelated to ICFR.

What Is a SOC 3 Report?

A SOC 3 report, just like a SOC 2, is based on the Trust Services Criteria, but there’s a major difference between these types of reports: restricted use. A SOC 3 report can be freely distributed, whereas SOC 1 and SOC 2 reports can only be read by the user organizations that rely on your services. A SOC 3 does not give a description of the service organization’s system, but it can provide interested parties with the auditor’s report on whether an entity maintained effective controls over its systems as it relates to the Trust Services Criteria.

In addition to these distinctions, organizations can also choose between Type I and Type II SOC reports. We explain the distinction in greater depth in What’s the Difference Between SOC 2 Type I and SOC 2 Type II?

When trying to determine whether your service organization needs a SOC 1, SOC 2, or SOC 3 audit, keep these requirements in mind:

  • Could your service organization affect a client’s financial reporting? A SOC 1 would apply to you.
  • Does your service organization want to be evaluated on the Trust Service Criteria? SOC 2 and SOC 3 reports would work.
  • Does restricted use affect your decision? SOC 1 and SOC 2 reports can only be read by the user organizations that rely on your services. A SOC 3 report can be freely distributed and used in many different applications.

Each of these reports must be issued by a licensed CPA firm, such as KirkpatrickPrice. We offer SOC 1, SOC 2, and SOC 3 engagements. To learn more about KirkpatrickPrice’s SOC services, contact us today.

What is the difference between SOC 1, SOC 2, and SOC 3 reports? SOC reports are Service Organization Control reports.

SOC 1 reports work off of the SSAE 16 (now SSAE 18), which is about internal control over financial reporting. As a service organization, you may affect your user organization’s financial reporting. If so, a SOC 1 is the one for you.
Trust Services Principles have to do with criteria dealing with security, availability, processing integrity, confidentiality, and privacy. Those Principles work with SOC 2 and SOC 3 reports.

These reports are restricted in use when you issue a SOC 1 or a SOC 2 report. They are only to be read by the user organizations who rely upon your services, where a SOC 3 can be used in many different applications.

Finally, these 3 types of reports need to be issued by a licensed CPA firm that specializes in this particular industry and the industry that you work in. KirkpatrickPrice is a licensed CPA firm that can help you with all three types of reports – the SOC 1, SOC 2, and SOC 3.

What’s the purpose of an SSAE 16 audit and should I pursue one? If you’re new to the world of information security audits, check out this comprehensive guide on the history of SSAE 16, why it replaced the SAS 70, and how becoming SSAE 16 compliant could benefit your business.

SSAE 16: The Past and the PresentOutsourcing critical business functions, such as IT or HR, is a common practice among many businesses, today. While outsourcing is a great way to cut operational costs and acquire resources that aren’t available internally, it doesn’t come without its risks. It is especially crucial to consider how outsourcing functions to service organizations could impact your internal control over financial reporting (ICFR).

In accordance with Sarbanes-Oxley (SOX), publicly traded companies are responsible for maintaining an effective system of internal control over financial reporting (ICFR). Such emphasis on governance and risk management when it comes to reporting on controls at a service organization, is the reason many organizations have chosen to require their vendors, who may have an impact on their ICFR, to obtain an SSAE 16 (SOC 1) Attestation Report.

What is SAS 70?

SAS 70 is the Statement on Auditing Standards No. 70, an older auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It provides standards for reporting on controls and processes at service organizations, but, unlike later standards, did not require auditors to obtain a written assertion concerning the design and effectiveness of controls. SAS 70 was superseded by SSAE 16 in 2011, and more recently, by SSAE 18.

What is SSAE 16?

SSAE 16 is the Statements on Standards for Attestation Engagements no. 16. It provides a set of standards and guidance for attestation reporting on organizational controls and processes at service organizations. Audits using SSAE 16 generally result in System and Organizational Control (SOC 1) reports. Unlike earlier standards, SSAE 16 requires a written attestation from a service company’s management, stating that its description accurately represents organizational systems, control objectives, and operational activities that affect customers. SSAE 16 was superseded by SSAE 18 in 2017.

What is SSAE 18?

SSAE 18 is the current set of standards and guidance for reporting on organizational controls and processes at service organizations. It supersedes SSAE 16 and is intended to update and simplify previous standards. Like SSAE 16, SSAE 18 is used in SOC 1 reports, but also in SOC 2 and SOC 3 reports, which were previously conducted under AT 101. Among other changes, SSAE 18 additionally requires that service organizations identify subservice organizations and provide risk assessments to auditors. SSAE 18 is the current standard that SOC 1 audits use.

Out with the Old: Replacing the SAS 70

To make a long story short, CPAs in the past were using the SAS 70 to report on things other than financial reports, however, the SAS 70 was never intended to do so. By introducing a new attestation standard to assess service organizations, the AICPA developed improved assurance by replacing the SAS 70 with the Statement on Standards for Attestation Engagement No. 16, or SSAE 16.

Not only does the SSAE 16 provide a more comprehensive and descriptive assessment of controls, it also allowed user organizations to appropriately assess the reliability of the controls at a service organization.

SSAE 16 vs. SAS 70: What are the Differences?

SAS 70, Cruising with The Auditing Standard

What’s the difference between SSAE 16 and SAS 70? One of the key differences between the SAS 70 and the SSAE 16 is that the SAS 70 is an “auditing” standard, whereas the SSAE 16 is an “attestation”. When the AICPA made the decision to replace the SAS 70, they thought it more appropriate for a service organization audit to be an examination of a system, which is different than an audit of financial statements.

SSAE 16, Going Deeper with Attestation

The SSAE 16 report requires a description of a system along with a written assertion by management on the design and operating effectiveness of the controls being reviewed. The SAS 70, however, lacked the level of detail that the SSAE 16 offers. The SAS 70 simply provided a description of controls and did not include any type of management assertion.

New and Improved: The SSAE 16 Audit Report

The SSAE 16 has been around long enough now to have gained popularity and familiarity by both service organizations and their clients. However, we still receive a fair amount of questions regarding the purpose of an SSAE 16 audit report, the components, and the benefits of a service organization obtaining an SSAE 16 audit report.

As mentioned before, the purpose of an SSAE 16 report is to report on the controls at a service organization that may have an impact on their clients’ financial reporting.

If you’re an organization who provides hosting services, data management services, etc. to a publicly traded company, it is likely you have been requested to pursue an SSAE 16 audit, and if not, you probably will at some point. An SSAE 16 report allows organizations to assess the risks associated with doing business with particular service providers.

Components of an SSAE 16 Audit Report

There are not set controls for an SSAE 16, as each is unique to the service organization and the type of business they are doing. However, there are common criteria and common control objectives that typically make up the components of an SSAE 16 or SOC 1 report. This includes the independent service auditor’s report, management’s written assertion, a description of the system, control objectives and the testing of operating effectiveness of the controls.

Type I vs Type II Reports

There are two basic types of SSAE 16 reports, type I and type II. SSAE 18 SOC 1 reports concern the accuracy of a service company’s description of its controls and systems, and their effectiveness in achieving control objectives. They are similar in many ways, but the key difference is the period of time covered by the report. 

  • SSAE 1 Type I reports are “point in time” reports; they report on systems and controls at a specified date.
  • SSAE 1 Type II reports, in contrast, report on the suitability of controls over a period of time of no less than six months.

It is often recommended that service organizations begin with an SSAE 16 Type I report, and then move to an SSAE 16 Type II report to demonstrate the maturing of their environment.

Learn more about Type 1 and Type 2 reports in What is the Difference Between SOC 1 Type I and SOC 1 Type II?]

Benefits of Pursuing an SSAE 16 Audit Report

There are several benefits associated with obtaining an SSAE 16 audit report. First, it is a great way to demonstrate your commitment to delivering high quality services to your clients. It is also an important step in gaining the client trust you need to develop and grow your business. By engaging a third-party auditing firm to conduct an SSAE 16 audit engagement, you will not only satisfy current client demands, but gain a competitive advantage and have the opportunity to win new business.

The evolution of the reporting on controls at a service organization has inevitably brought more assurance and opportunity to the marketplace. The SSAE 16 audit report is a great way for organizations to demonstrate that they have the proper internal controls in place to protect client data. If you have any questions regarding obtaining an SSAE 16 audit report, whether it is the appropriate engagement for your organization, or how to prepare for your SSAE 16 audit, contact us today.