SOC 1 REPORT
The SOC 1 Report and Reporting Process
Essentially, this report tells your customers that they can trust the numbers you’re providing them with.
The SOC 1 Report is all about assuring your customers that the financial information you’re providing to them is accurate and does not affect their bottom line in unexpected ways. Essentially, this report tells your customers that they can trust the numbers you’re providing them with to do their work and prepare their financials.
As such, a SOC 1 contains financial criteria and controls used to audit a company’s financial statements alongside the information provided by its service provider, to determine if the vendor’s services negatively impact its customers financial statement. Ultimately, the audit shows whether the numbers the vendor is producing could adversely affect its customer’s financials.
For example, say a financial institution is using a third-party vendor to service its loans. Included in the vendor’s service is calculating the correct loan payments or commissions. If those calculations aren’t performed correctly, loan payments may be incorrect, and that will ultimately affect the institution’s financial statement.
By securing a SOC 1 report for its financial institution, the third-party vendor ideally then can provide some level of assurance to its customers that the numbers can be trusted when that institution is preparing its financial statements.
SOC reports can only be prepared by CPA firms and auditors meeting criteria set by the American Institute of CPAs (AICPA), the largest largest member association representing the accounting profession.
Organizations that Benefit from SOC 1 Reports
- Loan Servicing Organizations
- Health Care Program Administrators
- Medical Billers
- Third-party Administrators
- Retirement Plan Administrators
- Real Estate Title Companies
- Insurance Companies
- Data Centers
- Payroll Processors
- Property Management Companies
- Software-as-a-Service Companies providing information that has an impact on their clients’ profitability
The SOC 1 Reporting Process
At Maloney + Novotny, we work to make the process of preparing a SOC report as easy for our customers as possible.
Securing a SOC 1 report is a multi-step process that can take anywhere from 6 to 12 months to complete, depending on the organization’s familiarity with the process and whether or not the initial stages indicate there are deficiencies to be addressed before the audit takes place. But, with the proper partner, the entire process should cause minimal inconvenience to your organization. At Maloney + Novotny, we work to make the process of preparing a SOC report as easy for our customers as possible.
SOC reporting begins with a Readiness Assessment, followed by two stages or “types” of reports. Most SOC 1 reports evolve through all three stages. The report is good for one year.
The Readiness Assessment is the preparatory stage. It’s an overall assessment, across each criteria of the SOC 1 where together, we work with you to develop an understanding of the systems and controls in place that help you deliver your services, and also look for any possible gaps in operational controls that should be addressed before the audit begins. This results in a baseline look at your organization’s systems that you can consider before the audit begins. This assessment also helps you to understand and develop narratives about the controls and systems in place that allow you to deliver services, which is information you’ll need to prepare part of the report. We also help our clients to formulate or identify the controls that are tested during the audit stage of the reporting process. The Readiness Assessment also provides an opportunity to identify gaps in operational controls that need to be remediated before the audit begins.
A distinction with SOC 1 reports, unlike SOC 2 or SOC for Cybersecurity reports, is that the managers of the service provider are asked to describe their objectives and the controls they have in place to provide services that could affect their customers’ financial statements. For example, a debt collector would be required to describe in detail its debt collection process. And medical billers are required to describe in detail how they calculate the payments owed to their customers.
The Readiness Assessment usually begins with an interview where we talk with our clients to understand their systems and develop checklists of processes and controls. The clients can then use these checklists to develop longer narratives about all of the relevant systems that need to be included in the report.
Once the audit begins, as in Type 1 and Type 2 of the SOC 1 process, the deficiencies will be reported and considered to form an opinion.
After the Readiness Assessment is completed, we normally begin the audit with a SOC 1 Type 1 stage. The Type 1 Report defines and characterizes the controls in place at a certain point in time and whether or not they were operating correctly at that time, based on the results of our audit testing.
Because the Type 1 report only characterizes the controls in place at one point in time, it’s generally doesn’t provide enough assurance to customers that service provider’s controls were operating effectively over time. So once the Type 1 milestone is achieved, we usually go on to produce a Type 2 Report, attesting whether the service provider’s systems and controls were in place and operating correctly successfully over a period of time, which may be as short as 3 months but most often up to 12 months.
Components of a SOC 1 Report
A SOC 1 Report typically contains five sections:
Section 1: This is the independent auditor’s opinion, where we indicate whether or not the service provider actually met or did not meet the criteria that they laid out. There are three possible results that can be noted in this section: Qualified Opinion, Unqualified Opinion, or Adverse Opinion. The report is good for one year.
The best possible result is the Unqualified Opinion, which means that the results of the audit provide significant assurance without having to qualify our opinion in any way. We found that the company is being truthful in its financial reporting, and that the services it is providing which affect financial statements can be trusted as accurate.
Slightly less ideal is the Qualified Opinion, where we provide assurances of accuracy, but they are qualified in some way based on our audit of how the controls were operating. However the qualifications aren’t significant enough to lead to us to give an adverse opinion. Clients want to avoid receiving a Qualified opinion if possible.
Third is the Adverse Opinion, which no client wants to receive, indicating it’s our opinion that the service provider is not meeting the criteria they laid out, and that the errors found in the company’s controls are significant enough that its customer cannot depend on the operating effectiveness of the service provider’s controls.
Section 2: This is Management’s Assertion, where the service provider attests to being truthful in is processes and commits to abiding by all of the engagement rules of the audit process.
Section 3: The System Description, where the service provider explains in long form narrative how it runs its services using specific controls. This may mean detailing how it collects information, processes that information, and accomplishes risk assessment. The company explains in detail how they accomplish whatever services are being audited. For example a health insurance claims processor will explain how it calculates the percentage due from the patient for each bill.
Section 4: The Test Matrix section offers a short form listing of all of the controls described in Section 3, along with the testing results as performed by the independent auditor. This section also includes any exceptions noted that occurred during testing. In the case of a medical biller, for example, the auditor may ask to sample 60 of the medical bills it issued over the last year, to check that the payments due were calculated accurately. If it’s determined that payments were calculated incorrectly, that could result in an exception in Section 4 and could also affect the opinion in Section 1, depending on the severity or frequency of the errors.
Section 5: This unaudited section provides an opportunity for the service provider to include any additional information they’d like for recipients to see and review. This may include any responses or explanations for the exceptions noted in Section 4 and how these have been remediated. This section may also be used to help customers operating in different industries to map or cross-reference the controls identified in sections 4 to their own industry.