Everything You Need to Know About SOC 1 Audits

Page 1

KirkpatrickPrice

Innovation. Integrity. Delivered.

Everything You Need to Know About SOC 1 Audits

16057 W. Tampa Palms Blvd.

| #134

| Tampa, FL 33647

| kirkpatrickprice.com

| 800.770.2701

The SOC 1 Audits

Page | 2

Table of Contents What is a SOC report? _____________________________________________________________________ What is a SOC 1 audit report?_______________________________________________________________ Do I need a SOC 1?_______________________________________________________________________ What are the benefits of getting a SOC 1 audit? ________________________________________________ Who can perform a SOC 1 audit? ____________________________________________________________ How are SOC 1 reports used? ______________________________________________________________ What should I expect to see in my SOC 1 report? _______________________________________________ How does the audit process work? ___________________________________________________________

KirkpatrickPrice

Innovation. Inte grity. Delivered.

16057 . W Tampa Palms Blvd.

| #134

| Tampa, FL 33647

| kirkpatrickprice.com

| 80.770.2701

3 3 4 4 5 5 6 7

The SOC 1 Audits

Page | 3

What is a SOC report?

What is a SOC 1 audit report?

Developed primarily for third-party service providers by the AICPA, SOC (Service Organization Control) reports are issued by Certified Public Accountants (CPAs) and report on a service organization’s internal controls – policies and procedures – which could impact their client’s sensitive data. SOC reports help service organizations’ clients (referred to as user entities) to comply with regulatory and/or contractual requirements. SOC reports allow user entities to obtain an objective evaluation of the effectiveness of controls that address compliance, operations, and financial reporting of a service organization.

SOC 1 engagements are performed in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18), formerly known as SSAE 16. SOC 1 reports are specifically designed to report on the controls at a service organization that could ultimately impact their client’s financial statements. A SOC 1 audit is not a review of a service organization’s financial statements, but rather a review of internal controls over financial reporting.

KirkpatrickPrice

Innovation. Inte grity. Delivered.

16057 . W Tampa Palms Blvd.

| #134

| Tampa, FL 33647

| kirkpatrickprice.com

| 80.770.2701

The SOC 1 Audits

Page | 4

Do I need a SOC 1?

What are the benefits of getting a SOC 1 audit?

Many organizations are legally required to verify the suitability of internal controls at a service provider prior to engaging with the service provider. Generally speaking, publicly traded companies looking to comply with Sarbanes Oxley (SOX), financial institutions looking to comply with the Gramm-Leach-Bliley Act (GLBA), as well as state and local government, have all standardized on SOC reports to meet this requirement. If your clients outsource any of their information technology systems management activities to your organization, you may be asked for a SOC 1 report so they can gain a better understanding of the controls at your organization and how they meet specific requirements.

SOX and GLBA (among others) require service organizations to have adequate internal controls in place. By being able to produce a SOC 1 audit report to your clients or prospects, you gain a competitive advantage and client trust by demonstrating that you have the proper internal controls in place and that they have been verified by a valid third party.

SOC1

Everything You Need to Know About SOC 1

KirkpatrickPrice

Innovation. Inte grity. Delivered.

16057 . W Tampa Palms Blvd.

| #134

| Tampa, FL 33647

| kirkpatrickprice.com

| 80.770.2701

The SOC 1 Audits

Page | 5

Who can perform a SOC 1 audit?

How are SOC 1 reports used?

A SOC 1 audit can only be performed by an independent Certified Public Accountant (CPA). CPAs must adhere to the specific standards that have been established by the American Institute of Certified Public Accountants (AICPA) and have the technical expertise necessary to perform SOC 1 engagements.

Generally speaking, your SOC 1 audit report will be requested and read by your client’s auditor. SOC reports are considered an “auditor to auditor report,” allowing the auditor to avoid having to audit the service provider directly. SOC 1 reports will be used by a service organization with current and potential clients and their independent auditors. It’s important to note that while the existence of a SOC report is marketable, the SOC reports themselves are restricted from being used for general marketing purposes.

KirkpatrickPrice

Innovation. Inte grity. Delivered.

16057 . W Tampa Palms Blvd.

| #134

| Tampa, FL 33647

| kirkpatrickprice.com

| 80.770.2701

The SOC 1 Audits

Page | 6

What should I expect to see in my SOC 1 report? Depending on your specific needs, a CPA can issue either a SOC 1 Type I or SOC 1 Type II report. In a Type I report, your independent auditor will offer an opinion of the fairness of the presentation of the fairness of the presentation of the description of your system, the suitability of the design of the controls, and whether the controls have been implemented as

of a certain date. A Type II report is your independent auditor’s description of the operating effectiveness of the controls over a period of time (minimum of six months), your auditor’s tests of controls, and the results of the tests. Each type of report is described in the following table:

Contents

Type I

Type II

Independent Service Auditor’s Report

*

*

Service Organization’s description of

*

*

*

*

*

*

controls Offers opinion on management’s presentation of the Service Organization’s current controls Evaluates the suitability of design of management’s description of the Service Organization’s systems

*

Offers a description of the Service Auditor’s tests of the operating effectiveness of controls and the results of each test

KirkpatrickPrice

Innovation. Integrity. Delivered.

16057 . W Tampa Palms Blvd.

| #134

| Tampa, FL 33647

| kirkpatrickprice.com

| 80.770.2701

The SOC 1 Audits

Page | 7

How does the audit process work? KirkpatrickPrice utilizes our Online Audit Manager to ask a series of custom questions regarding your current controls, policies, and procedures to prepare you for your specific requirements. Our process will efficiently document where your organization’s security posture currently stands, provide specific guidance on identified areas of weakness, and allow you to work through as much of the audit process as possible prior to conducting the onsite portion of the audit. Our unique online approach minimizes the cost and disruption associated with extended onsite visits. Our senior-level auditors will assess, guide, monitor, test, and help mature your organization’s information security program and internal controls.

KirkpatrickPrice

Innovation. Inte grity. Delivered.

16057 . W Tampa Palms Blvd.

| #134

| Tampa, FL 33647

| kirkpatrickprice.com

| 80.770.2701

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.