What is a SOC 1 Report?
Has a prospect recently asked if your organization has a SOC 1 report? Has a top client requested that you begin completing annual SOC 1 audits? Meanwhile, you’re just wondering, what is a SOC 1 report? Does your service organization affect user organization’s financial reporting? A SOC 1 would apply to you. SOC 1 engagements are based on the SSAE 18 standard developed by the AICPA and report on the effectiveness of internal controls at a service organization that may be relevant to their client’s internal control over financial reporting (ICFR). A SOC 1 report is the only type of SOC report that evaluates and tests financial reporting. Receiving a SOC 1 report establishes a greater level of trust with clients, gives your organization a competitive advantage, and shows your commitment to protecting sensitive information.
5 Components of a SOC 1 Report
In a SOC 1 report, an independent auditor attests that management’s description of a service or system is suitably designed and that the controls are suitably designed in the attainment of the control objectives. SOC 1 reports issued by KirkpatrickPrice will contain a fair presentation and description of the internal controls within the scope of the audit. The controls described are only those that relate to a user organization’s ICFR, and to the services that service organizations provides to them. It will also describe the objectives of each control, whether the controls were suitably designed to achieve their objectives, and, for Type II audit engagements, whether the controls were operating effectively throughout the review period. A SOC 1 report also includes five major sections, which map with the five Committee of Sponsoring Organizations (COSO) components:
1. Control Environment
The control environment is the foundation for all other components of internal control. It sets the tone of an organization that influences the control consciousness of its people. In other words, it establishes the overall attitude, awareness, and actions of the board of directors, management, and employees concerning the importance and emphasis of internal control in the entity.
2. Risk Assessment
Risk assessment is not just the identification and evaluation of the significance of risk, but also involves how those risks are to be managed within your organization’s environment. COSO states that risks relevant to financial reporting include external and internal events that may occur and adversely affect the achievement of financial reporting objectives.
3. Control Activities
The policies and procedures established to provide reasonable assurance that management’s directives to mitigate risk are executed. Control activities may be preventative or detective, and include the traditional internal controls, such as processing, recording, approving, and reconciling transactions. They occur on a day-to-day routine basis throughout the organization and at all levels to record the transactions and events that create the financial statements. Controls fall into three categories: general controls, application controls, and physical controls.
4. Information and Communication
This refers to the identification, retention, and transfer of information in a timely manner enabling personnel to execute their responsibilities. The quality of information impacts management’s capacity to make decisions to direct the entity’s activities and prepare financial statements. Communication includes obtaining, providing, and sharing information, both internally and externally.
A process that evaluates whether each of the five internal control components, and the principles within each component, are present and functioning. The process may be achieved through separate evaluations or ongoing activities. Monitoring also includes initiating appropriate corrective actions.
A SOC 1 report provides an independent opinion on the establishment of effectively designed control objectives and control activities. A SOC 1 report is issued by a qualified, independent, certified public accounting firm. If you want to learn more about what it takes to complete a SOC 1 audit, contact us today.
An SSAE is a statement on standards for attestation engagements. These are technical pronouncements from the AICPA, which is the American Institute of Certified Public Accountants. The SSAE 18 (formerly SSAE 16) is specifically designed for service organizations. What the independent auditor is attesting to is that management’s description of the service or system that the users have access to is suitably designed and that the controls are suitably designed in the attainment of the control objectives. Also, for a Type II report, the auditor is attesting to the fact that the controls were operating effectively during the period.
The service organization receives a report from the independent auditor, and that report can be shared with their user organizations, as they would rely upon that during their audit, as they are concerned about internal control over financial reporting. An SSAE 18 is issued by a qualified, independent, certified public accounting firm.