Defined by the AICPA as the first part of the Service Organization Control series, SOC 1 addresses internal controls around financial reporting. SOC 1, 2, and 3 all follow the Statement on Standards for Attestation Engagements (SSAE 18).
While less applicable than its second and third counterparts, SOC 1 applies to businesses that directly interact with financial information for customers or partners.
What is the purpose of SOC 1?
SOC 1 compliance secures a service organization’s interaction, transmission, or storage of users’ financial statements. A SOC 1 report helps management, investors, auditors, and customers evaluate internal controls over financial reporting within guidelines laid out by the AICPA.
When and why does my business need a report?
As with most compliance frameworks, SOC 1 becomes important to your business when a prospect or customer asks to see your report. This will likely happen if you manage financial information for users, like payroll, stock options, retirement plans, and more.
Often, larger enterprises require their vendors to be compliant for the enterprise to pass their own audits. Similarly, you may need to ensure that your vendors are compliant if they are exposed to any user financial reports.
How to become compliant
Like other SOC frameworks, getting compliant with SOC 1 involves scoping the program and a gap analysis of existing and missing controls. Any missing controls should be implemented, a risk assessment needs to be executed, and finally, an official audit by a licensed public accountant.
Unlike other SOC frameworks, first, you’ll need to choose an auditor. The auditor helps identify control objectives and supporting control activities based on your system and the maturity of your product. Typically, there are three categories for control objectives. The same firm that identified appropriate controls can audit your control objectives and controls activities.
The process looks like this:
- Choose an auditor
- Help the auditor understand your product and how it interacts with or impacts financial systems
- Define control objectives and supporting control activities
- Implement control activities, based on specific control objectives
- Review and assess risk
Auditing SOC compliance
Where applicable, Laika standardizes control objectives and control activities across multiple frameworks. That means that we try to borrow the best control objectives from SOC 2 to fulfill control objectives for SOC 1. This helps save time, avoid confusion, and get your organization closer to full compliance in one swoop.
Businesses pursuing SOC 1 compliance typically start with a Type 1 report. Type 1 examines the design of your compliance program at a certain point in time. This includes any policies you have in place to protect your data, information security procedures, and any additional evidence that your compliance program is functional.
SOC 1 Type 2 compliance examines the security of your financial controls over a specified period of time, typically 9-12 months. The report includes an evaluation of the controls and corresponding evidence. It needs an annual re-evaluation to maintain compliance.
SOC 1 Audit
SOC 1 frameworks must be audited by a certified public accountant from a third-party entity. While we recommend an experienced SOC auditor examining your compliance program, you can leverage any CPA.
The timeframe for an audit is and dependent on the size of your organization and the scope of the program. Type 2 must be evaluated over a period of time to determine control effectiveness. You’ll need at least 6 months of evidence after implementation to get your Type 2.