SOC 1

Internal Control over Financial Reporting

Organizations increasingly outsource non-core business processes to service organizations. A Service Organization Control (SOC) report in compliance with SOC 1 provides assurance over outsourcing regarding financial processes. The SOC 1 standard is originated due to the growing demand for control over outsourced activities. The outsourced services can be Software-As-A-Service (SaaS) providers, asset managers, data centres, property managers, etc. A FAQ and further detailed information on SOC 1 are outlined below.

What are the requirements of SOC 1?

Essentially the requirements are 'free format', however, the governing criteria of a SOC 1 report are the financial reporting process of your customers. Generally, this implies that the General Computer Controls (General IT Controls) are included in the report and all controls focussed on the financial reporting processes, this might also include operational or production processes.

How can my organization fulfill the SOC 1 requirements?

The SOC 1 requirements are limited to general framework requirements only, however general practices for SOC reporting have many different best practices. If an organization does not comply with these best practices, the SOC 1 report might be perceived as a report of poor quality.

Generally, an organization needs to describe the relevant processes, the risk management framework, and a detailed control matrix. In the detailed control matrix, control objectives and control descriptions are included.

The SOC 1 implementation is best described in accordance with international standards for accountants and specific accountants' jargon. After the description, all procedures and controls need to be in place. This requires uniformity in working procedures, management of the process, and discipline of the organization to comply with these procedures.

What are the costs for a SOC 1 implementation?

This depends on the scale of the operation and the organization. If an organization uses our software solution ControlReports, the costs for a license are EUR 3.090. With a ControlReports license, all the implementation procedures have to be performed by the organization.

The ControlReports license includes the Risklane best practice for risk management framework which is based on more than 25 years of in-depth experience with implementing control frameworks. If internal control knowledge is 'in-house' no further costs will be applicable. For a typical IT client with 50-250 employees, additional consultants are hired for approximately 3-5 days. The average hourly costs for a consultant range from EUR 125-350.

If an organization decides to hire our consultants to implement the full process, the approximate resources required range from 80 days to 120 days for a typical IT services (SaaS or managed services) client. As mentioned above, the resources required differ per industry, size of the organization, complexity, and the impact of financial and operational processes apart from the General Computer Controls.

Do we need a SOC 1 audit each year?

Generally, yes. Although this is often based on the specific requirements of your customer. Typically, a calendar or fiscal year period under review is required by customers.

SOC 1

Outsourced services require that information from a service organization is acquired to assess and address the risks associated with outsourced services. Service Organization Control (SOC) reports are internal control reports that provide this information. SOC 1 is the standard for assurance on financial processes (or processes with a financial impact for the user organization). A SOC 1 typically includes a risk management framework, a description of controls, and an assurance (audit) opinion of an independent auditor.

Industries

SOC 1 is relevant for organizations providing services to other organizations, e.g. Asset Managers, Pension Services Providers, Software As A Service (SaaS)-providers, Infrastructure As A Service (IaaS)-providers, Platform As A Service (PaaS)-providers, and Data centre Services providers. SOC 1 is relevant if outsourced processes are related to financial processes. If processes relate to General IT Controls (GITC's) an ISAE 3000 or SOC 2 might be more relevant.

Why is SOC 1 widely used for providing assurance?

Background

SOC 1 is an internationally recognized auditing standard issued by the American Institute of Certified Public Accountants (AICPA). A Service organization’s auditor's examination performed in accordance with SOC 1 is widely recognized, because it represents an in-depth audit of a service organization’s control objectives and control activities, which often include controls over information technology and related processes. For service organizations, this improves their ability to perform outsourcing services to corporates and these corporates are more likely to trust the services provided. The scope of the examination of the external auditor includes the classes of transactions in the service organization’s operations that are significant to the user organization’s financial statements, and processes that are specifically defined by the service organization.

Supervisory authorities of financial institutions require institutions such as banks, pension funds, and insurers to have control over outsourced processes to service organizations. Laws and regulations require these institutions to acquire this information of their service organizations by means of a SOC report in compliance with SOC 1; the standard for assurance over outsourcing regarding financial processes. SOC 1 is the US successor of the SAS70 standard since 2011. Internationally, the SAS70 standard was replaced by ISAE 3402. By providing assurance on outsourced processes via a SOC 1 report, insight is provided into the effectiveness of the execution of services, the security controls surrounding these services, and the presence of sufficient anti-fraud measures.

Reporting types explained

SOC 1 reports

SOC 1 is applicable when an independent auditor ("user auditor") is planning the financial statement audit of an entity ("user organization") that obtains services from another organization ("service organization"). A SOC 1 report allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. The service auditor's report, which includes the service auditor's opinion, is issued to the service organization at the conclusion of the audit. SOC 1 does not specify a pre-determined set of control objectives or control activities that service organizations must achieve. Identifying and evaluating relevant controls is generally an important step in the user auditor's overall approach for the audit of financial statements. A service auditor may issue two types of reports; a Type I report or a Type II report.

Type I report

A SOC 1 Type I report includes an opinion of an external auditor on the controls placed in operation at a specific moment in time. The external auditor examines whether the controls are suitably designed to provide reasonable assurance that the financial statement assertions are accomplished and whether the controls are in place.

Type II report

In a SOC 1 Type II report, the external auditor reports on the suitability of the design and existence of controls and on the operating effectiveness of these controls in a predefined period of six months minimum. This implies that the external auditor performs a detailed examination of the internal control of the service organization and also examines whether all controls are operating effectively in accordance with the predefined processes and controls.