The SOC 1 Report option is fast becoming the global de facto standard for reporting on controls at service organizations in today's growing regulatory compliance environment. With the SAS 70 auditing standard finally being superseded and effectively replaced by the new Service Organization Control (SOC) framework, there's 5 important things that every service organization should know about regarding the SOC 1 report option. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance
1. The SOC framework is a comprehensive overhaul for service organization reporting. For approximately twenty years, the antiquated and much misused SAS 70 auditing standard provided a one-size fits all approach for reporting on controls at service organizations. From actuarial services to data centers, the SAS 70 was the go to auditing standard. However, changes, particularly relating to the migration of globally accepted accounting principles, and the AICPA's desire to keep pace with the transformation of service organizations in the last decade, led to the a new reporting framework. Known as the Service Organization Control (SOC) reporting framework, entities can now choose between SOC 1, SOC 2 and/or SOC 3 reporting options. This is a drastically different model from the one-size fits all SAS 70 auditing standard, and that's a good thing indeed.
2. There are new requirements for a SOC 1 Report. A SOC 1 report, which utilizes the SSAE 16 professional standard for reporting, requires that service organizations provide a written statement of assertion along with a description of its "system" as part of reporting. The written statement of assertion is a new requirement, while the description of a "system" is looked upon as a considerably more in-depth discussion of a service organization's controls when compared to the SAS 70 requirements for a description of "controls".
3. SOC 1 was designed for ICFR reporting. The true technical intent was for SOC 1 reports (which officially result in a SOC 1 SSAE 16 Type 1 and/or a SOC 1 SSAE 16 Type 2 report) to have a true relationship or nexus with a concept known as "Internal Control over Financial Reporting" (ICFR). However, many organizations have largely dismissed this notion and are receiving SOC 1 reports (both Type 1 and Type 2 reports) for many of today's technology driven service organizations, such as data centers, managed service providers, Software as a Service (SaaS) entities, etc. It seems the adoption of SOC 1 reporting has firmly taken root along with its acceptance by all intended users of these reports.
4. SOC 1 is fast becoming the notable reporting option. As just stated, the SOC 1 report option has gained immense traction, far outpacing its worthy siblings, SOC 2 and SOC 3. However, this may change in the future as service organizations become more familiar with the Trust Services Principles (TSP) used for SOC 2 and SOC 3 reporting.
5. Check with your clients and their compliance needs before moving forward with a SOC 1 report. Because there are three (3) reporting options (SOC 1, SOC 2, and SOC 3), you should consider consulting with you largest clients on their expectations for service organization reporting. While the vast majority undoubtedly will want and accept SOC 1 SSAE 16 reports, you may very well find a small, but growing number asking for SOC 2 and/or SOC 3 reports. A competent and well-qualified PCAOC CPA firm can provide a number of reporting options for your organization, all at a reasonable, fixed-fee.