SOC 1® – System and Organization Controls (SOC) for Service Organizations: ICFR
Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR)
(In accordance with SSAE 18, AT-C Section 320, formerly SSAE 16 SOC 1® which superseded SAS 70)
These reports, prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, are specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements. Statement on Standards for Attestation Engagements No. 18 (SSAE 18) / SOC 1® is effective for practitioners’ reports dated on or after May 1, 2017.
The most significant change with SSAE 18, AT-C Section 320 / SOC 1® is that it requires the service organization to implement controls that monitor the effectiveness of controls at the subservice organization for SOC 1® report opinions dated on or after May 1, 2017.
A subservice organization is any third party with access (either physical or logical) to the service organization’s sensitive client data. SSAE 18, AT-C Section 320 highlights the following monitoring activities that could be implemented to achieve this requirement:
- Reviewing and reconciling output reports
- Holding periodic discussions with the subservice organization
- Making regular site visits to the subservice organization
- Testing controls at the subservice organization by members of the service organization’s internal audit function
- Reviewing Type 1 or Type 2 reports on the subservice organization’s system
- Monitoring external communications, such as customer complaints relevant to the services by the subservice organization
If your company (the ‘Service Organization’) performs outsourced services that are relevant to internal controls over the financial reporting of another company (the ‘User Organization’), your company will more than likely be asked to provide a SOC 1® report, especially if the User Organization is publicly traded. ‘Services that are relevant to internal controls over financial reporting’ can range from providing access controls over financial data to recording or manipulating financial data for the User Organization.
The primary purpose of a SOC 1® report is to provide User Organizations and their financial statement auditors with an understanding of the services being provided and a Service Auditor’s opinion as to whether the description of the system of controls is fairly presented, the controls are suitably designed and in the case of a “Type 2” report, whether the controls were operating effectively over a specified period of time.
For More Information Speak to a Service Auditor at Roosa CPA, LLC (877) 410-8516
More Info
Types of Reports
The SOC 1® report is an internal controls report on the services provided by a Service Organization. The report provides valuable information that users need to assess the risks associated with an outsourced service. There are two different “Types” of examinations that can be conducted under SSAE 18, AT-C Section 320 for SOC 1® attestations. The specifics of these examinations/reports are as follows:
Type 1 Report
- Internal controls report that examines management’s description of the system to determine if the presentation of the system fairly represents the design and implementation of the Service Organization’s system as of the specified date.
- The control objectives stated in management’s description of the system were suitably designed to achieve those control objectives as of the specified date.
- Obtaining the Type 1 report is a great place to start for a company that has not been previously examined under the SSAE 16 standard or the current SSAE 18 standard; this type of examination will enable the Service Organization to define their system of controls and ensure that controls were implemented as of the specified date. There is no requirement for a Service Organization to graduate to a Type 2 report from the Type 1 report; the Service Organization can obtain a Type 1 report year after year. The frequency and type of report is driven by the needs of your customers.
Type 2 Report
- Internal controls report that examines management’s description of the system to determine if the presentation of the system fairly represents the design and implementation of the Service Organization’s system throughout the specified period.
- The control objectives stated in management’s description of the system were suitably designed to achieve those control objectives throughout the specified period.
- The control objectives stated in management’s description of the system operated effectively throughout the specified period to achieve those control objectives.
- Most Service Organizations obtain a Type 2 report annually, but the specified period that is examined is usually only the last six months. The frequency and type of report is driven by the needs of your customers.
Areas of Examination
The controls examined in the SOC 1® attestation can vary depending on industry and the controls directly managed by the Service Organization. The areas of our examination (scope of the attestation) are based on COSO and CobiT frameworks that are currently some of the most widely used and accepted frameworks in the regulatory governance environment.
- Control Environment – The organization’s controls that influence the control consciousness of its personnel are examined. This includes examining the organization’s structure, how information is communicated within the organization and human resource policies and procedures.
- Physical Security – The organization’s controls that physical access to the business premises and information systems are limited to properly authorized individuals are examined.
- Environmental Security – The organization’s controls that protect the facility, information systems and data from environmental threats are examined.
- Computer Operations (Backups and Storage) – The organization’s controls that system data is regularly backed up, rotated or vaulted offsite and archived data is available for restoration in the event of processing error or unexpected interruptions are examined.
- Computer Operations (System Availability) – The organization’s controls that production systems are designed, maintained and monitored to ensure system availability are examined.
- Application Change Control – The organization’s controls that application software is developed to effectively support application reporting requirements and that changes are authorized and tested prior to production migration are examined.
- Information Security – The organization’s controls that logical access to critical systems and data is restricted to authorized individuals are examined.
- Data Communications – The organization’s controls that data maintains its integrity and security as it is transmitted between third parties and the service organization are examined.
Time and Expense
Not every SOC 1® attestation examination has the same requirements. Each company can vary depending on the type of services they perform for their customers. We have years of experience working with just about every industry and work with our clients to ensure that we cover the appropriate scope to ensure your customers’ needs are satisfied.
- The typical attestation examination for the first year will require 4 to 6 weeks of resources to complete a SOC 1® attestation examination; 1 to 2 of those weeks we will be onsite to conduct the site visit.
- During the examination process, you will have a dedicated Compliance Specialist available to answer questions and the owner is involved throughout the process.
- Call a Compliance Specialist at Roosa CPA, LLC (877) 410-8516 today for a free quote.