What are the requirements of SOC 1?
All controls which impact financial reporting processes, including e.g., operational or production processes. Essentially the requirements are 'free format'; however, the governing criteria of a SOC 1 report are the financial reporting process of your customers. The implication is that the financial, operational, and General IT Controls (GITCs) should generally be included in the SOC report.
How can my organization fulfill the SOC 1 requirements?
The SOC 1 requirements are limited to general framework requirements only. However, general practices for SOC reporting have many different best practices. Suppose an organization does not comply with these best practices. In that case, the SOC 1 report might be perceived as a report of poor quality.
Generally, an organization needs to describe the relevant processes, the risk management framework, and a detailed control matrix. In the control matrix, control objectives and control descriptions are included.
A SOC 1 implementation should follow international standards for accountants and specific accountants' jargon. After the description, all procedures and controls need to be in place. This requires uniformity in working practices, management of the process, and discipline of the organization to comply with these procedures.
What are the costs for a SOC 1 implementation?
This depends on the scale of the operation and the organization. If an organization uses our software solution ControlReports, the costs for a license are EUR 3.090. With a ControlReports license, the organization performs the implementation procedures itself.
The ControlReports license includes the Risklane best practice for risk management framework, based on more than 25 years of in-depth experience implementing control frameworks. If internal control knowledge is 'in-house,' no further costs will be applicable. For a typical IT client with 50-250 employees, additional consultants are hired for approximately 3-5 days. The average hourly costs for a consultant range from EUR 125-350.
If an organization hires our consultants to implement the entire process, the approximate resources required range from 80 to 120 days for an IT services (SaaS or managed services) client. As mentioned above, the required resources differ per industry, size of the organization, complexity, and the impact of financial and operational processes apart from the General Computer Controls.
Do we need a SOC 1 audit each year?
Generally, yes. Although this is often based on the specific requirements of your customer. Typically, a calendar or fiscal year period under review is required by customers.