What are the requirements of SOC 1?
Essentially the requirements are 'free format', however, the governing criteria of a SOC 1 report are the financial reporting process of your customers. Generally, this implies that the General Computer Controls (General IT Controls) are included in the report and all controls focussed on the financial reporting processes, this might also include operational or production processes.
How can my organization fulfill the SOC 1 requirements?
The SOC 1 requirements are limited to general framework requirements only, however general practices for SOC reporting have many different best practices. If an organization does not comply with these best practices, the SOC 1 report might be perceived as a report of poor quality.
Generally, an organization needs to describe the relevant processes, the risk management framework, and a detailed control matrix. In the detailed control matrix, control objectives and control descriptions are included.
The SOC 1 implementation is best described in accordance with international standards for accountants and specific accountants' jargon. After the description, all procedures and controls need to be in place. This requires uniformity in working procedures, management of the process, and discipline of the organization to comply with these procedures.
What are the costs for a SOC 1 implementation?
This depends on the scale of the operation and the organization. If an organization uses our software solution ControlReports, the costs for a license are EUR 3.090. With a ControlReports license, all the implementation procedures have to be performed by the organization.
The ControlReports license includes the Risklane best practice for risk management framework which is based on more than 25 years of in-depth experience with implementing control frameworks. If internal control knowledge is 'in-house' no further costs will be applicable. For a typical IT client with 50-250 employees, additional consultants are hired for approximately 3-5 days. The average hourly costs for a consultant range from EUR 125-350.
If an organization decides to hire our consultants to implement the full process, the approximate resources required range from 80 days to 120 days for a typical IT services (SaaS or managed services) client. As mentioned above, the resources required differ per industry, size of the organization, complexity, and the impact of financial and operational processes apart from the General Computer Controls.
Do we need a SOC 1 audit each year?
Generally, yes. Although this is often based on the specific requirements of your customer. Typically, a calendar or fiscal year period under review is required by customers.