All You Need to Know About SOC 1 Reports
System and Organization Controls (SOC) reports are specifically designed to help service organizations assure customers concerning the design and operating effectiveness of internal controls at the service organization. In addition, SOC reports provide additional details to customers and businesses so that they can understand the controls of the service organization. There are several distinct types of SOC reports, and each report has an intended audience based on the service organization’s business offerings.
What Is a SOC 1 Report?
SOC 1 reports specifically address internal controls of a service organization that may impact a user entity’s financial statements. SOC 1 reports specifically define a set of control objectives that service organizations are intended to meet along with the key controls to meet each control objective. The purpose of each objective is to provide a defined financial reporting objective that is relevant to the services being performed on behalf of customers. An example of a control objective for a SOC 1 could be “controls provide reasonable assurance that weekly payroll reports are complete and accurate”. The service organization will then identify specific key controls that support the control objective related to the completeness and accuracy of weekly payroll reports. The service organization may define a key control such as “weekly payroll reports are reviewed by at least two payroll administrators before distribution to the client.”
What Is the Purpose of a SOC 1 Report?
The purpose of the SOC 1 examinations and report is specifically rooted in attestation standards. The attestation standards require that service organizations provide assertions relevant to the design and operating effectiveness of internal controls, specifically those relevant to financial reporting. The standards require that a CPA firm review the details of the assertion as well as the internal controls to ensure that the assertion provided by the service organization accurately describes the design and operating effectiveness of the controls. SOC 1 reports provide third-party attestation (a CPA firm) that the service organization has appropriately designed controls that are operating as described in the assertion. The CPA firm provides an attestation opinion on whether the controls are designed and functioning appropriately and can be relied upon by the service organization’s users. User entities can review the SOC 1 report and evaluate based on the control objectives and key controls whether the financial statement risks have been appropriately mitigated by the service organizations controls.
Who Needs a SOC 1 Report?
SOC 1 reports are typically requested of service organizations that specifically provide services that could impact users’ financial statements. Service organizations that process user transactions, report financial information that is recorded in the financial statements of user entities, or ensure that financial data is appropriately secured are common examples of entities needing SOC 1 reports. Service organizations that typically need to provide a SOC 1 report to user entities include payroll processors, third-party trust administrators, retirement plan administrators, third-party loan servicers, debt collectors, and others.
Who Uses a SOC 1 Report?
The primary use of a SOC 1 report is to assure the service organization’s users (customers/vendors) that appropriate internal controls have been designed and operating effectively. SOC 1 reports are typically reviewed by user entity auditors when planning and performing audits on a user entity’s financial statements. The SOC 1 reports provide the user entity auditor with assurance that appropriate controls have been established at the service organization relevant to the financial reporting.
What Information Is Included in a SOC 1 Report?
The SOC 1 report is comprised of several sections, including the opinion, assertion, description of operations, and the test of controls. The opinion is provided and signed by the CPA firm and outlines whether the assertion accurately describes the design and operating effectiveness of the internal controls during the reporting period. The description of operations provides general information about the service organization, as well as details surrounding the processes for internal controls covered by the report. Lastly, the test of controls outlines the control objectives, key controls, the tests performed by the CPA firm, as well as the results of those tests. The results of the test define the type of opinion used by the auditor. An unmodified report opinion is issued by the auditor when the results of the testing support the assertion that the control objectives and key controls were designed and operating effectively. A qualified or adverse opinion is issued when the auditor has determined, as a result of the tests of controls, that the control objective and controls are not designed and/or operating effectively.
McKonly & Asbury, LLP would like the opportunity to collaborate with and help service organizations through the SOC 1 audit process. For more information, be sure to visit our System and Organization Controls (SOC) service page and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA with further questions regarding SOC 1 reporting and our services.
About the Author
Josh joined McKonly & Asbury in 2006 and is currently a Director with the firm. He is a key member of the firm’s Audit & Assurance Segment, primarily working with clients in the firm’s Service Organization Controls (SOC) Practice.… Read more