What is a SOC 1?
SOC 1 was developed by the American Institute of Certified Public Accountants (AICPA) and produces an examination report based upon the AICPA’s Statement on Standards for Attestation Engagements Number 18 (SSAE 18). The SOC 1 report is intended for customers which you have a responsibility for controls over their financial reporting processes. The report typically tests transaction processing integrity controls, computer security controls, program change management controls, IT operations controls and entity level controls of your organization.
What happened to SSAE 16 and SAS 70?
On May 1, 2017, the SSAE 18 superseded SSAE. Most requirements will remain the same for this transition, however, there is additional guidance and requirements that focus on maintaining a Vendor Management Program, performing periodic Risk Assessments of the business and additional focus on Complementary Subservice Organization Controls.
In some cases, customers will ask you for a SAS70 report as that was once the go-to standard. The SSAE 16 standard superseded it on June 15th, 2011 and SAS 70 reports are no longer allowed to be issued. You may also see the SSAE 16 report called the SOC 1, which is also accurate as they refer to the same thing.
Who should get a SOC 1?
Types of businesses where SSAE 18 / SOC 1 reports are typically the most appropriate are as follows:
- Debt Collectors
- Payroll Processors
- SaaS Providers
- Claims Processing Providers
- Transaction Processing Organizations
What is the Scope of a SOC 1 Report?
For your report, you will define (in consultation with your customers) a set of “Control Objectives” within each of the main testing areas that are tailored to how you conduct business. Then, within each Control Objective, you will identify key controls that work together to achieve the desired Control Objective. Control Objectives typically cover the following areas:
- HR and Entity Level Controls
- Logical Access Controls
- Physical and Environmental Controls
- Application and Infrastructure Change Management Controls
- IT Operations Controls
- Data Input Controls
- Data Processing Controls
- Data Output and Reporting Controls
How Often Do Businesses Get a SOC 1?
The frequency is driven by the businesses’ customers’ requirements. Typically, businesses undergo a SOC 1 on an annual basis.
What is a SOC 1 Type 1?
A SOC 1 Type 1 report is an examination performed as of a specific point in time. We think of this as something like taking a picture of the family at a holiday. Once you wrangle all of the kids into one place and pose them, you can just keep taking the picture until everyone happens to be smiling. It’s often the starting place for companies going through SOC 1 for the first time and helps to set the stage for the Type 2 examination.
What is a SOC 1 Type 2?
A SOC 1 Type 2 report is an examination performed over a period of time. Going back to the picture analogy, instead of taking a posed picture, you would instead take a video of everyone posing which would allow you to identify who was making funny faces. This provides a much higher level of assurance to your customers and is most likely what they are expecting when asking you for your SOC 1 report. As a service organization, we have found that the biggest leap between the Type 1 and Type 2 reports is the ability to document and evidence what the service organization is doing in a way that it can be reviewed afterward.
For a more explicit breakdown of the differences, we have a blog post right here that explains it well.
Our professionals have years of experience in both performing SSAE 18 and SOC audits as well as years of experience in helping companies get prepared to go through the audit process. We are able to walk you through the entire process from start to finish to help achieve results that are representative of how you do business.
We are able to assist through each step of the audit process:
- Conduct a pre-assessment to identify areas that may need improvement prior to being audited
- Assist you with interpreting your customers’ assurance needs and determine what (if any) reports would be appropriate to pursue
- Perform the audit and arrange for the delivery of the final report from a licensed CPA firm
The type of report that you need is dictated by how your customers rely upon the services that you provide to them. While there are some clear cut requirements for each type of report, often times you can select the report that works best for a majority of your customers.
The Audit Experience
We aim to make the audit experience as pain free as possible for you. Our professionals will work with you to customize our process to help you meet the needs of your business.
- Once engaged, we will work with you to determine your needs for timing and schedule our activities accordingly. The audit fieldwork process typically takes about 2-3 weeks from start to finish, with our draft report being issued about 3-4 weeks after fieldwork has started.
- Prior to our visit, we will talk through the audit with you to make sure that your expectations are set, and we will send an initial information request list that will allow us to be prepared for our onsite visit. We have found that clients who do their best with this initial information request have a much quicker and easier on site visit than those who do not.
- A large portion of our work can be completed during a 1-3 day trip to your primary business location. During the visit, we will need to speak to process owners for each of the areas within scope of the report and have time to walk through and understand your business and IT processes.
- After our visit to your business location, we continue working on your audit remotely by documenting our visit, asking follow up questions and gathering additional audit evidence from you (if needed).
- Once we have completed fieldwork, your report will then go through our quality control processes and quality control processes at a licensed CPA firm. Once that is complete, the CPA firm will send you a draft of the report for your review.
How Much Does a SOC 1 Cost?
Without discussing your business with you, it is very difficult to provide an accurate price estimate that will meet your business’s requirements for its audit. However, everyone is always curious about what price should be expected for a quality audit to be performed by professionals, so we have made a few assumptions geared towards smaller businesses to come up with the below costs. Please keep in mind that these are not quoted prices for your business, but if you fit into many of the assumptions we have made, they will typically be accurate.
- One business location is in scope, and that location is within the continental United States (not in a high hotel cost location)
- No business processes in scope
- Less than 100 employees
SOC 1 Prices
The prices below are based upon the scope assumptions noted above.
- Type 1 – $10,900 (add $4,000 for business processes – will need to review scope to confirm)
- Type 2 – $16,900 (add $5,000 for business processes – will need to review scope to confirm)
- Pre-Assessment – $10,000 (incremental to the audit cost)