SOC (System and Organization Controls) audits are Internal Control Audit engagements that are performed for Service Organizations (organizations that provide certain functions for other entities on an outsourced basis). The SOC audit reports are typically required by and provided to the customers of the service organizations (user entities). SOC audits have only been available since June 2011. Prior to that time, the audit standard that was available for service organizations was Statement for Auditing Standard no. 70 (SAS 70).
A SOC 1SM report is focused on internal controls over financial reporting and is the closest reporting standard to the former SAS 70. This option is suited to service organizations that process financial transactions or financial related data for their customers. SOC 1SM reports include control objectives, supporting information technology and business process control activities that the service organization believes are relevant to its user organizations and the independent auditors of the user organizations.
Other than current best practices, there are no specific requirements or standards as to what Control Objectives and activities should be included in the audit scope. As such, user organizations and their independent auditors should evaluate the scope of reports and conclude as to its completeness for their purposes. SOC 1SM reports can either be a Type 1 or Type 2. Type 1 reports are as of a specific date and address management assertions, management’s description of the system and the design of the controls. Type 2 reports are for a period of time and in addition to addressing management’s assertions, management’s description of the system and the design of the controls it also addresses the effectiveness of the control activities from a financial auditing standpoint. For additional information about SOC 1 reports, continue here.
In fact, the PCAOB has indicated that a SOC 1SM Type 2 report is the only report that may be relied upon by independent auditors as it relates to service organization controls with regard to Section 404 of the Sarbanes-Oxley Act of 2002 (SOX). SOX requires that the management of public companies assess the effectiveness of the internal control of issuers for financial reporting. Section 404 of SOX requires the auditor of a publicly held Accelerated Filer (companies with more than $75 million in market capitalization) to attest to and report on management’s assessment of its internal controls.