SOC 1 Examinations

SOC 1 Examinations are intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities in evaluating the effect of the controls at the service organization on the user entities’ financial statements. We work with the service organization to produce the report its customers are requesting.

Service organizations that would typically receive a SOC 1 report consist of third-party service providers, insurance companies, and payroll and benefits processors as well as trust departments. Broadly, any service organization that provides services to customers that directly impact the customer’s financial statements would be a candidate for such a report. Service organizations should evaluate their needs along with their customers’ reporting needs prior to determining the type of SOC report that is applicable to their needs.

SOC 1 Type I

SOC 1 Type I reports are defined as a report on the fairness of the presentation of management’s description of a service organization’s system and the suitability of the design of controls to meet the related control objectives. SOC 1 Type I examinations focus on the service organization’s system narrative, as well as the design effectiveness of the controls within the system and are focused on the system and controls in place at a specific point in time. Type I reports consist of the description of service organization’s “system” and controls, management’s assertion on the fair presentation and design of the service organization’s system, and the auditor’s report and opinion.

SOC 1 Type II

SOC 1 Type II reports are defined as a report on the fairness of the presentation of management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls to achieve the related control objectives.  SOC 1 Type II examinations differ from the Type I examination, since the reports include an opinion on the operating effectiveness of the controls, in addition to the design effectiveness covered in a Type I. Type II reports also cover a period of time (at a minimum, six months), as opposed to a point in time. SOC 1 Type II engagements are generally much more thorough and require more time to complete because of the requirement to test the operating effectiveness of controls. The components of a Type II report are similar to a Type 1 report but are expanded to include the procedures used by the auditor to test the stated controls and the results of such tests.