SOC 1SM compliance audits, also known as Statement on Standards for Attestation Engagements (SSAE) 18 have only been available since June 2011. Prior to that, the available audit standard for service organizations was the Statement for Auditing Standard no. 70 (SAS 70). To meet the needs of the current marketplace, the SAS 70 standard was superseded by the SSAE 16, which further got superseded by the current SOC standard, the SSAE 18, which went into effect May 1, 2017.
A SOC 1SM compliance report is an internal control audit prepared exclusively for Service Organizations. It’s a required restricted-use report that can only be distributed to existing customers and their auditors; not prospects. If a service organization’s clients have their financials audited, a SOC 1SM report gives those clients’ auditors assurance that proper controls are implemented, operational, and effective.
As mentioned, SOC 1 audits are required for organizations that provide some sort of outsourced services for customers and clients. These types of businesses include, but are not limited to:
In most cases, an organization’s customers will reach out and request a SOC 1 report when their auditors require one. However, many organizations opt to get a SOC 1 audit performed in lieu of having to answer the multiple security questionnaires they receive from various clients if allowed.
There are two main types of SOC 1 audits – the Type I and Type II reports. Each report covers three important areas:
However, there are some important differences between the two reports:
SOC 1 Type 2 audits are not to be confused with SOC 2 audits, which is a different type of SOC compliance report altogether. The AICPA also released a fourth type of audit, the SOC for Cybersecurity report, in May 2018. Unlike SOC 1 and SOC 2 reports, the SOC for Cybersecurity audit can be performed by any type of organizations, and it provides an in-depth evaluation of a company’s cybersecurity risk management program.
Looking to prepare for an upcoming SOC 1 compliance audit? Download your free copy of our SOC 1 reporting guide today.
Are you looking for a SOC 1 audit report? Before beginning your SOC 1 compliance journey, it’s important to understand the basics of the SSAE 18 and internal control reporting in general. Do you know what your SOC auditor will be looking for? Here are some preliminary questions to consider before speaking with an accredited SOC professional.
If you’re unsure of the answers to these questions or don’t think your organization has controls in place, don’t worry. Before getting a SOC 1 report, you’ll need to engage with an advisor to address any compliance concerns and map out the policies and procedures to be evaluated by the audit.
To start your SOC 1 audit journey, or to get help mapping controls, contact one of our SOC specialists online or give us a call at (609) 520-1188 and ask for Tony Chapman.
SOC Audit Seal