SOC 1 Type 2 Compliance Audit FAQ
Why is SOC 1 Used?
One of the most important reports for third-party (vendor) data security, and SOX compliance is the SOC 1 Type 2 Attestation (some call Audit).
The SOC 1 Type 2 attest report provides for compliance and assurance of the financial data processing for ICFR (Internal Controls over Financial Reporting) of the service provider and may fulfill the need for SOX compliance. SOC 1 Attestation is popularly known as SOC 1 Audit (by clients),SOC 1 Engagement,SOC 1 Examination,SOC 1 Certification (by clients), SOC 1 Compliance.
SOC 1 compliance reports are part of AICPA's SSAE 18 Attest Standard that is used for the SOC 1, SOC 2, and SOC 3 reports. Since 1992, these reports have been known as SAS 70 reports. In 2011 the SOC 1 was brought under SSAE 16 Standard and SOC 2 under AT 101. Finally, in 2017 the SSAE 16 along with other SSAE standards got merged into one SSAE 18, bringing all SOC 1, SOC 2, and SOC 3 reports under SSAE 18. This is the main difference between SSAE 16 vs 18 pertaining to SOC compliance reports.
The AT-C section 320 section provides guidance on “Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting”.
What does SOC 1 Mean?
SOC now stands for System and Organization Controls. The definition got changed in 2017 from the earlier one as Service Organization Controls as these compliance reports were mainly being used for vendor(third-party) compliance audits as these organizations were service organizations. The auditor auditing these service organizations is called Service Auditor (SOC Auditor).
SOC 1 Type 2 compliance report provides for operating effectiveness of controls over a period minimum 6 months or maximum 12 months in contrast to certifications such as ISO/IEC 27001 that provides a certificate which is valid for 3 years. For missing periods or periods immediately after the report, some User Entities or User Auditors may insist on a SOC Bridge Letter.
SOC 1 Report Comprise of?
Scope for SOC 1 Type 2 compliance report usually depends on the number of controls reported on. The SOC 1 Type 2 report comprises of all the applicable controls for the control objectives in scope, that are reported by the SOC Auditor (Service Auditor). The SOC 1 Type 2 report is now of 4 sections, Section 1 is the Auditors Opinion, Section II is the Management Assertion, Section III is the Description Criteria or System Description and Section IV is a detailed list of controls as per applicable control objectives along with the results of the auditors' test of controls. Unlike a SOC 2 Type 2 report, SOC 1 does not cover the Trust Services Criteria of Security(Common Criteria), Availability, Confidentiality, Processing Integrity, and Privacy (formerly known as the Generally Accepted Privacy Principles-GAPP) by AICPA.
To issue a SOC 1 compliance report for a public (listed) entity, the CPA Firm must be registered with the PCAOB.
SOC 1 vs SOC 2 the major difference is the kind of data being processed or stored by the service organization. If it is financial data for ICFR a SOC 1 report is used. In all other cases, a SOC 2 report is used.
The SOC 1 report can be qualified or unqualified.
A SOC 1 report can be shared only with Management of the Service Organization, User Entities, and User Auditors against an NDA, or a confidentiality agreement. AICPA allows use of the SOC logo on client website.