Focusing on Controls Related to Financial Reporting
What is a SOC 1 Report?
SOC 1 reports focus on a service organization’s controls potentially impactful to their client’s financial reporting. These engagements are performed in accordance with the American Institute for Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagement (SSAE) 18, Attestation Standards: Clarification and Recodification.
What is the Difference Between a SOC 1 Type 1 vs. Type 2?
There are two types of SOC 1 reports – Type 1 and Type 2. The difference between a Type 1 and a Type 2 report is the period in scope. A Type I report addresses the suitability of the design and implementation of controls at a specific point in time (As of MM/DD/YYYY). A Type 2 report addresses the operating effectiveness of controls over a defined period of time, rather than as of a specific point in time. A SOC 1 Type 2 report ensures that certain internal control processes are efficient, consistent, and documented – thus yielding improved operational performance.
Who is Required to Have a SOC 1 Report?
Instances in which a customer may require a SOC 1 report is if an organization provides services that can directly impact or affect their clients’ financial data, or if an organization’s clients will use the report to support an audit of their own financial data. Industry examples include:
- Data Centers
- Cloud Service Providers
- Software as a Service Providers (SaaS)
- Payroll Processing
- Medical Claims Processing
- Human Resources Support Services
- Lending Services
SOC 1 reports can be a good way to differentiate the services provided to your clients versus those provided by a competitor without a SOC 1 report. SOC 1 reports are often necessary when the user entity is publicly traded and must comply with SOX 404 or similar regulations. It is important to go through this process with a trusted advisor.