What is SOC 1 Certification?

Systems and Process Assurance Services, SOC 1 Compliance (SSAE 18) Services


What is a SOC 1 Certification?

Unlike ISO 27001, SOC1 is not a certification but is a type of audit report issued by a Certified Public Accounting (CPA).

SOC (System and Organization Controls) audits are Internal Control Audit engagements that are performed for Service Organizations (organizations that provide certain functions for other entities on an outsourced basis). The SOC audit reports are typically required by and provided to the customers of the service organizations (user entities). SOC audits have only been available since June 2011. Prior to that time, the audit standard that was available for service organizations was Statement for Auditing Standard no. 70 (SAS 70).

A SOC 1SM report is focused on internal controls over financial reporting and is the closest reporting standard to the former SAS 70. This option is suited to service organizations that process financial transactions or financial related data for their customers. SOC 1SM reports include control objectives, supporting information technology and business process control activities that the service organization believes are relevant to its user organizations and the independent auditors of the user organizations.

SOC Requirements

Other than current best practices, there are no specific requirements or standards as to what Control Objectives and activities should be included in the audit scope. As such, user organizations and their independent auditors should evaluate the scope of reports and conclude as to its completeness for their purposes. SOC 1SM reports can either be a Type 1 or Type 2. Type 1 reports are as of a specific date and address management assertions, management’s description of the system and the design of the controls. Type 2 reports are for a period of time and in addition to addressing management’s assertions, management’s description of the system and the design of the controls it also addresses the effectiveness of the control activities from a financial auditing standpoint. For additional information about SOC 1 reports, continue here.

In fact, the PCAOB has indicated that a SOC 1SM Type 2 report is the only report that may be relied upon by independent auditors as it relates to service organization controls with regard to Section 404 of the Sarbanes-Oxley Act of 2002 (SOX). SOX requires that the management of public companies assess the effectiveness of the internal control of issuers for financial reporting. Section 404 of SOX requires the auditor of a publicly held Accelerated Filer (companies with more than $75 million in market capitalization) to attest to and report on management’s assessment of its internal controls.

If you’re looking for additional information on SOC Services, please
contact a member of Withum’s SOC Services Team.

Previous Post

Next Post

Read More
Image of bar graph on screen.

Systems and Process Assurance Services

Discover the full-range of System and Process Assurance Services that meet your compliance and risk mitigation requirements in today’s complex business environment. Our team combines Internal Controls and Information Technology […]

Learn More
Image of bar graph on screen.

SOC 1 Compliance (SSAE 18) Services

SOC 1SM compliance audits, also known as Statement on Standards for Attestation Engagements (SSAE) 18 have only been available since June 2011. Prior to that, the available audit standard for […]

Learn More