In addition to specific contractual terms and conditions, a growing number of service customers seek partners that comply with System and Organization Controls (SOC) 1, an important set of standard requirements for audit and reporting, to gain the insights and assurance that information is secure, data services are well-managed and essential financial controls are in use.
Developed and maintained by the American Institute of Certified Public Accountants (AICPA), SOC 1 is often associated with Sarbanes-Oxley laws and regulations under which service companies document effective financial reporting internal controls. But beyond the regulation itself, service companies leverage SOC 1 audits and reports as a proactive, competitive tool to demonstrate commitment to information security and compliance.
Not only does SOC 1 help service providers operate more efficiently and effectively, and avoid fines and penalties due to non-compliance, it often results in more, and more loyal, customers. This scenario has evolved as service provider customers increasingly recognize the importance of SOC 1 and demand it as the authoritative standard for independent, third-party validation of service management and financial practices and controls.
SOC 1 Audit
A SOC 1 audit is performed by a third-party certified public accounting firm with expertise in the AICPA documentation and stipulations. Auditors evaluate, test, and report on the design effectiveness and operation of the service organization’s internal controls over financial reporting. The focus is on controls implemented to protect client data and ensure transactions are processed completely, accurately and on a timely basis.
A SOC 1 attestation report is a formal report resulting from the audit activity. It describes a service provider’s controls specific to the client’s internal controls over financial reporting (ICFR). SOC 1 reports are specifically intended to meet the requirements of entities that use service organizations and those entities’ external auditors.
SOC 1 Compliance
Organizations pursue and achieve one of two SOC 1 reports from the audit of the internal control structure and operation. A Type 1 attestation report assesses the system description as well as the design effectiveness to achieve the control objectives for a certain point in time.
Most businesses, however, seek to attain and provide their clients with a SOC 1 Type 2 compliance report. A Type 2 audit process and report attests to an organization’s control environment over a specified period. The report includes a system description, design effectiveness and results of the auditor’s tests. A Type 2 report gives customers a more complete view of the control environment, its performance and compliance factors.
Stepping Up to SOC 1
With the growth of cloud computing, information services and outsourced services provided to third parties, SOC 1 audits and reports seem be the table stakes of service partnerships. Alchemi Advisory Group has the CPA credentials and the SOC 1 experience to serve organizations at any stage—whether it is time for a readiness assessment, moving from Type 1 to Type 2, or an annually renewed SOC 1 report.