SOC 1SM compliance audits, also known as Statement on Standards for Attestation Engagements (SSAE) 18 have only been available since June 2011. Prior to that, the available audit standard for service organizations was the Statement for Auditing Standard no. 70 (SAS 70). To meet the needs of the current marketplace, the SAS 70 standard was superseded by the SSAE 16, which further got superseded by the current SOC standard, the SSAE 18, which went into effect May 1, 2017.
A SOC 1SM compliance report is an internal control audit prepared exclusively for Service Organizations. It’s a required restricted-use report that can only be distributed to existing customers and their auditors; not prospects. If a service organization’s clients have their financials audited, a SOC 1SM report gives those clients’ auditors assurance that proper controls are implemented, operational, and effective.
As mentioned, SOC 1 audits are required for organizations that provide some sort of outsourced services for customers and clients. These types of businesses include, but are not limited to:
In most cases, an organization’s customers will reach out and request a SOC 1 report when their auditors require one. However, many organizations opt to get a SOC 1 audit performed in lieu of having to answer the multiple security questionnaires they receive from various clients if allowed.
There are two main types of SOC 1 audits – the Type I and Type II reports. Each report covers three important areas:
However, there are some important differences between the two reports:
SOC 1 Type 2 audits are not to be confused with SOC 2 audits, which is a different type of SOC compliance report altogether. The AICPA also released a fourth type of audit, the SOC for Cybersecurity report, in May 2018. Unlike SOC 1 and SOC 2 reports, the SOC for Cybersecurity audit can be performed by any type of organizations, and it provides an in-depth evaluation of a company’s cybersecurity risk management program.
Are you looking for a SOC 1 audit report? Before beginning your SOC 1 compliance journey, it’s important to understand the basics of the SSAE 18 and internal control reporting in general. Do you know what your SOC auditor will be looking for? Here are some preliminary questions to consider before speaking with an accredited SOC professional.
If you’re unsure of the answers to these questions or don’t think your organization has controls in place, don’t worry. Before getting a SOC 1 report, you’ll need to engage with an advisor to address any compliance concerns and map out the policies and procedures to be evaluated by the audit.
Share What is a SOC 1 Certification? Unlike ISO 27001, SOC1 is not a certification but is a type of audit report issued by a Certified Public Accounting (CPA). SOC (System and Organization Controls) audits are Internal Control Audit engagements that are performed for Service Organizations (organizations that provide certain functions for other entities on…
Share What is the Difference Between SSAE 18 and Soc 1? Is there a difference? How do these two compare? SSAE 18 is the auditing standard applicable for both SOC 1 and SOC 2 reports. SOC (System and Organization Controls) audits are Internal Control Audit engagements that are performed for Service Organizations (organizations that provide…
For more information or to discuss your business needs, please connect with a member of our team.