Everything You Need to Know About SOC 1 Audits

by Sarah Harvey / September 19th, 2017

Are you being asked by a top client for a SOC 1 audit report? What is a SOC 1 report? Do you need a SOC 1 audit? Below, you’ll find answers to frequently asked questions about SOC 1 audit reports and learn how your organization can benefit from having a SOC 1 report and what you can expect from your SOC 1 audit process.

What is a SOC report?
Developed primarily for third-party service providers by the AICPA, SOC (System and Organization Controls for Service Organizations) reports are issued by CPAs and report on a service organization’s internal controls that could impact their clients‘ sensitive data. SOC reports help service organizations’ clients, or user entities, to comply with regulatory and contractual requirements. SOC reports allow user entities to obtain an objective evaluation of the effectiveness of controls that address compliance, operations, and financial reporting of a service organization.

What is a SOC 1 audit report?
SOC 1 engagements are performed in accordance with the Statement on Standards for Attestation
Engagements No. 18 (SSAE 18), formerly known as SSAE 16. SOC 1 reports are specifically designed to report on the controls at a service organization that could ultimately impact their clients‘ financial statements. A SOC 1 audit is not a review of a service organization’s financial statements, but rather a review of internal controls over financial reporting.

Do I need a SOC 1?
Many organizations are legally required to verify the suitability of internal controls at a service provider prior to engaging with the service provider. Generally speaking, publicly traded companies looking to comply with Sarbanes Oxley (SOX), financial institutions looking to comply with the Gramm-Leach-Bliley Act (GLBA), as well as state and local government, have all standardized on SOC reports to meet this requirement. If your clients outsource any of their information technology systems management activities to your organization, you may be asked for a SOC 1 report so they can gain a better understanding of the controls at your organization and how they meet specific requirements.

What are the benefits of getting a SOC 1 audit?
SOX and GLBA (among others) require service organizations to have adequate internal controls in place. By being able to produce a SOC 1 audit report to your clients or prospects, you gain a competitive advantage and client trust by demonstrating that you have the proper internal controls in place and that they have been verified by a valid third party.

Who can perform a SOC 1 audit?
A SOC 1 audit can only be performed by an independent CPA. CPAs must adhere to the specific standards that have been established by the AICPA and have the technical expertise necessary to perform SOC 1

How are SOC 1 reports used?
Generally speaking, your SOC 1 audit report will be requested and read by your client’s auditor. SOC reports are considered an “auditor to auditor report,” allowing the auditor to avoid having to audit the service provider directly. SOC 1 reports will be used by a service organization with current and potential clients and their independent auditors. It’s important to note that while the existence of a SOC report is marketable, the SOC reports themselves are restricted from being used for general marketing purposes.

What should I expect to see in my SOC 1 report?
Depending on your specific needs, a CPA can issue either a SOC 1 Type I or a SOC 1 Type II report. In a Type I report, your independent auditor will offer an opinion of the fairness of the presentation of the description of your system, the suitability of the design of the controls, and whether the controls have been implemented as of a certain date. A Type II report is your independent auditor’s description of the operating effectiveness of the controls over a period of time (minimum of six months), your auditor’s test controls, and the results of the tests.

How does the audit process work?
KirkpatrickPrice utilizes the Online Audit Manager to ask a series of custom questions regarding your current controls, policies, and procedures to prepare you for your specific requirements. Our process will efficiently document where your organization’s security posture currently stands, provide specific guidance on identified areas of weakness, and allow you to work through as much of the audit process as possible prior to conducting the onsite portion of the audit. Our unique online approach minimizes the cost and disruption associated with extended onsite visits. Our senior-level auditors will assess, guide, monitor, test, and help mature your organization’s information security program and internal controls.

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.