SOC 1 Reports – Why You Need ThemWhitney Irish
Post by: Ashleigh Hall
What are SOC 1 Reports?
A Service Organization Controls (SOC) Report describes the design of the internal controls at a service provider (SP). There are multiple kinds (SOC 1, SOC 2, SOC 3), however, the SOC 1 report is the most likely one to apply to your organization. There are also 2 types of SOC 1 reports; a Type 1 report describes the SP’s internal control structure. A Type 2 report goes another step. The firm engaged to issue a Type 2 report for an SP also tests the controls described and opines on their operating effectiveness; there is no such testing performed for a Type 1 report.
Which Ones Should You Review?
At least annually, you ought to obtain and review the SOC 1 reports for your SPs whose services affect significant transactions within your organization, such as:
- Health claims vendors
- Payroll processors
- Investment custodians
- Check processing centers
- Financial reporting software
Most importantly, ensure that the “user controls” or “user entity considerations” noted in the report are in place and operating effectively within your organization. These controls are identified as necessary at your organization in order for the transactions processed by the SP to be accurate and timely.
Additionally, remember that your organization remains responsible for the processing of transactions, even those that are outsourced to SPs. It’s important for you to understand the controls your providers have in place so that you can be comfortable relying on them. You should also consider any additional controls your organization should have in place to verify the correctness of the transactions.
What Are You Looking For?
When you obtain and review the SOC 1 report for one of your SPs, here are some questions to consider:
- Do the internal controls described address all activities outsourced to the provider? Or, are there any activities or aspects of those activities that are not considered?
- Was the report prepared by a reputable audit firm? Did they issue an unqualified opinion?
- Does it cover the entire reporting year of your organization?
- If you’re reviewing a Type 1 report, and therefore the SP’s controls are not tested for effectiveness, what steps should your organization take to be comfortable with the SP’s systems?
- If you’re reviewing a Type 2 report, were there any exceptions or findings reported during the testing of controls?
- Did the SP outsource any of its activities to subservice organizations? What is their involvement and were their controls included in the report?
- What are the user entity considerations noted in the report and are they implemented and operating effectively?
Once you’ve worked through these questions, determine what impact the answers may indicate for your organization. Is your organization vulnerable to fraud, error or misappropriation in any way? What steps should be taken to address testing exceptions, qualified audit opinions, user entity controls and any other considerations you noted?
By the end of your review of the SOC 1 report and consideration of the SP’s role in your organization, you ultimately want to determine, given the report and the controls in place at your organization related to that provider: are you comfortable relying on the accuracy and timeliness of transactions processed by that service provider?