What is a SOC 1 Audit?
The SOC 1 audit is based on an attestation standard developed by the American Institute of Certified Public Accountants (AICPA) to be used in the auditing of third-party service organizations, whose services are relevant to their clients’ impact over financial reporting.
A SOC 1 Type I report is an attestation of controls at a service organization at a specific point in time. It reports on the description of controls provided by management of the service organization and tests that the controls are suitably designed. A SOC 1 Type II report is an attestation of controls at a service organization over a specified period of time. It reports on the description of controls provided by management of the service organization and attests that the controls are suitably designed, implemented, and operating effectively.
What are SOC Controls?
SOC controls are a service organization’s internal controls that are tested during an audit from the System and Organization Controls (SOC) suite, which was developed by the AICPA.
These controls are integral to internal compliance, security, and privacy, and in turn inform many critical business and governance decisions.
SOC 1 Compliance Checklist
Are you looking to begin your SOC 1 compliance journey? Are you in need of guidance to get started? Do you want to know what your auditors will be looking for? This exclusive SOC 1 compliance checklist outlines the specifics on each system component that will be evaluated by your auditor during your SOC 1 audit, including:
- Does your organization have a defined organizational structure?
- Has your organization designated authorized employees to develop and implement policies and procedures?
- What is your organization’s background screening procedure?
- Does your organization have established workforce conduct standards?
- Do clients and employees understand their role in using your system or service?
- Are system changes effectively communicated to the appropriate personnel in a timely manner?
- Has your organization performed a formal risk assessment?
- Has your organization identified potential threats to the system?
- Has your organization analyzed the significance of the risks associated with each threat?
- What are your organization’s mitigation strategies for those risks?
- Does your organization perform regular vendor management assessments?
- Has your organization developed policies and procedures that address all controls?
- Does your organization perform an annual policy and procedure review?
- Does your organization have physical and logical access controls in place?