This query has been heard many times that -What is SOC 1 report? and from more than 20 years it has been trend by many organizations to outsource certain activities or business process to other organizations, this outsourcing organization is known as ‘Service organization’ and the organization or company which outsource its certain activities is known as ‘user entity’ in SOC terminology. So, a SOC 1 (also known as SSAE 18) report is called Service organization control report, this is a report on controls (Business process and IT controls) at a service organization which are relevant to user entity’s internal control over financial reporting.
The SOC 1 report is normally required for those organizations which provides financials processing types of services and those processes may potentially impact on user entities internal control over financial reporting. Such outsourced service organization may be a Payroll processor, Data Center service providing organizations, Loan service organization, Medical claims processing companies or cloud service providing companies especially which provides Software-as-a Service (SAAS) service/solutions which may impact the financials of the user entity.
For an example a Data Center service providing company may provide server room or data storage servers which can store financials transaction data or may store user entities financials reports etc. so the user entities which uses the Data center service realize the material impact of data storage that the servers store in accordance with user entity’s expectations. So, a SOC 1 report provide a reasonable assurance to the user entity that the service organization i.e Data center company internal controls are adequately designed and operating effectively to provide the Data Center service.
SOC 1 report are of two types which are generally know as SOC Type I report and SOC 1 Type II report. The description of Type I and Type II reports are:
SOC 1 Type I Report
SOC 1 Type I reports are generally referred to as point in time reports (or as of a particular date) and the reports normally include a description of a service organization’s system and the audit test the design level of service organization’s controls. The Type I report structure start with the Auditor’s opinion about the service organization controls and scoped Business processes, then Section 2 of the reports shows the Service organization Management assertion which is written by the service organization management by stating that the description of the business system is fairly presents and the control objectives were suitably designed during the Audit period of time. Section 3 of the report talks about the description of the system followed by the Section 4 which represents the description of test of controls with result of testing. The least section provides other information which service organization usually provides about relevant processes that were not tested during the Audit such as Business continuity planning and Disaster recovery etc
SOC 1 Type II Report
SOC 1 Type II reports generally cover a period of time such as 6 months and 12 months. The Type II report normally talks about the design and operating effectiveness of internal control over a period of time. Like Type I report the Type II report structure also start with the Auditor’s opinion about the scoped service organization controls and Business processes. The Section 2 of the report represents the Service organization Management assertion which is written by the service organization management by stating that the description of the Business system is fairly presents and the control objectives and operating effectiveness are suitably designed over a period of time and Audit duration. The Section 3 of the report talks about the description of the system followed by the Section 4 which represents the description of test of controls with result of testing. The least section provides other information which service organization usually provides about relevant processes that were not tested during the Audit such as Business continuity planning and Disaster recovery etc. SOC 1 Type II reports generally cover a period of time such as 6 months and 12 months. The Type II report normally talks about the design and operating effectiveness of internal control over a period of time. Like Type I report the Type II report structure also start with the Auditor’s opinion about the scoped service organization controls and Business processes. The Section 2 of the report represents the Service organization Management assertion which is written by the service organization management by stating that the description of the Business system is fairly presents and the control objectives and operating effectiveness are suitably designed over a period of time and Audit duration. The Section 3 of the report talks about the description of the system followed by the Section 4 which represents the description of test of controls with result of testing. The least section provides other information which service organization usually provides about relevant processes that were not tested during the Audit such as Business continuity planning and Disaster recovery etc.