SOC 1

Internal Control over Financial Reporting

Organizations increasingly outsource non-core business processes to service organizations. The outsourced services can be provided by Software-As-A-Service (SaaS) providers, asset managers, data centre, property managers, etc. A Service Organization Control (SOC) report in compliance with SOC 1 provides assurance over outsourcing regarding financial processes. The SOC 1 standard originated due to the growing demand for control over outsourced activities. A FAQ and further detailed information on SOC 1 are outlined below.

What are the requirements of SOC 1?

All controls which impact financial reporting processes, including e.g., operational or production processes. Essentially the requirements are 'free format'; however, the governing criteria of a SOC 1 report are the financial reporting process of your customers. The implication is that the financial, operational, and General IT Controls (GITCs) should generally be included in the SOC report.

How can my organization fulfill the SOC 1 requirements?

The SOC 1 requirements are limited to general framework requirements only. However, general practices for SOC reporting have many different best practices. Suppose an organization does not comply with these best practices. In that case, the SOC 1 report might be perceived as a report of poor quality.

Generally, an organization needs to describe the relevant processes, the risk management framework, and a detailed control matrix. In the control matrix, control objectives and control descriptions are included.

A SOC 1 implementation should follow international standards for accountants and specific accountants' jargon. After the description, all procedures and controls need to be in place. This requires uniformity in working practices, management of the process, and discipline of the organization to comply with these procedures.

What are the costs for a SOC 1 implementation?

This depends on the scale of the operation and the organization. If an organization uses our software solution ControlReports, the costs for a license are EUR 3.090. With a ControlReports license, the organization performs the implementation procedures itself.

The ControlReports license includes the Risklane best practice for risk management framework, based on more than 25 years of in-depth experience implementing control frameworks. If internal control knowledge is 'in-house,' no further costs will be applicable. For a typical IT client with 50-250 employees, additional consultants are hired for approximately 3-5 days. The average hourly costs for a consultant range from EUR 125-350.

If an organization hires our consultants to implement the entire process, the approximate resources required range from 80 to 120 days for an IT services (SaaS or managed services) client. As mentioned above, the required resources differ per industry, size of the organization, complexity, and the impact of financial and operational processes apart from the General Computer Controls.

Do we need a SOC 1 audit each year?

Generally, yes. Although this is often based on the specific requirements of your customer. Typically, a calendar or fiscal year period under review is required by customers.

SOC 1

Outsourced services require that information from a service organization is acquired to assess and address the risks associated with outsourced services. Service Organization Control (SOC) reports are internal control reports that provide this information. SOC 1 is the standard for assurance on financial processes (which impact the user organization). A SOC 1 typically includes:

A risk management framework.
A description of controls.
An assurance (audit) opinion of an independent auditor.

Industries

SOC 1 is relevant for organizations providing services to other organizations, e.g., Asset Managers, Pension Services Providers, Software As A Service (SaaS)-providers, Infrastructure As A Service (IaaS)-providers, Platform As A Service (PaaS)-providers, and Data centre Services providers. SOC 1 is relevant if outsourced processes are related to financial processes. If processes relate to General IT Controls (GITC's) an ISAE 3000 or SOC 2 might be more relevant.

Why is SOC 1 widely used for providing assurance?

Background

SOC 1 is an internationally recognized auditing standard issued by the American Institute of Certified Public Accountants (AICPA). A Service organization's auditor's examination performed under SOC 1 is widely recognized because it represents an in-depth audit of a service organization's control objectives and control activities, which often include controls over information technology and related processes. The scope of the examination of the external auditor includes the classes of transactions in the service organization's operations that are significant to the user organization's financial statements and processes specifically defined by the service organization. For service organizations, this improves their ability to perform outsourcing services to corporates, and these corporates are more likely to trust the services provided.

Supervisory authorities of financial institutions require institutions such as banks, pension funds, and insurers to control outsourced processes to service organizations. Laws and regulations require these institutions to acquire this information about their service organizations using a SOC report in compliance with SOC 1; the standard for assurance over outsourcing regarding financial processes. SOC 1 has been the US successor of the SAS70 standard since 2011. Internationally, the SAS70 standard was replaced by ISAE 3402. By providing assurance on outsourced processes via a SOC 1 report, insight is delivered into the effectiveness of the execution of services, the security controls surrounding these services, and the presence of sufficient anti-fraud measures.

Reporting types explained

SOC 1 reports

SOC 1 is applicable when an independent auditor ("user auditor") is planning the financial statement audit of an entity ("user organization") that obtains services from another organization ("service organization"). A SOC 1 report allows service organizations to disclose their control activities and processes to their customers and auditors in a uniform reporting format. The service auditor's report, which includes the service auditor's opinion, is issued to the service organization after the audit. SOC 1 does not specify a pre-determined set of control objectives or activities that service organizations must achieve. Identifying and evaluating appropriate controls is generally essential in the user auditor's overall approach to auditing financial statements. A service auditor may issue two types of reports; a Type I report or a Type II report.

Type I report

A SOC 1 Type I report includes an opinion of an external auditor on the controls placed in operation at a specific moment in time. The external auditor examines whether the controls are suitably designed to provide reasonable assurance that the financial statement assertions are accomplished and whether the controls are in place.

Type II report

In a SOC 1 Type II report, the external auditor reports on the suitability of the design and existence of controls and on the operating effectiveness of these controls in a predefined period of six months minimum. This implies that the external auditor performs a detailed examination of the service organization's internal control and also examines whether all controls are operating effectively in accordance with the predefined processes and controls.