A SOC 1 audit is an audit at a service organization related to internal control over financial reporting (ICFR). SOC 1 audits were developed by the AICPA and follow the Statement on Standards for Attestation Engagements No. 18 (SSAE 18).
The performance and reporting requirements for an examination of controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy resulting in general use report.
The performance and reporting requirements for an examination of an entity's cybersecurity risk management program and related controls.
A Type-1 report describes the service organizations control at a point in time. This report focuses on the design of the controls to achieve the related control objectives. It includes the service auditor's opinion, management's assertion, and the description of the system.
A Type -2 report focuses on both the design and operating effectiveness of controls over a period of time of at least six months. It includes all of the information in a Type-1 report with the addition of the service auditor's testing performed for each control. From an auditor's perspective, only the SOC-1 Type-2 report provides assurance over a service organization's controls relative to its client's financial transactions.
Any service organization that needs an independent validation of controls relevant to how it transmits, processes, or stores client data may require a SOC report. Additionally, as a result of various legislative requirements like the Sarbanes-Oxley Act, as well as increased scrutiny over third-party controls, clients are increasingly requiring SOC reports from their service organizations.
Pricing for a SOC 1 audit depends on scoping factors, including business applications, technology platforms, physical locations, third parties, and audit frequency. Pricing will also vary based on the report type you choose, inclusion of a gap analysis, or inclusion of additional remediation time.
"Yes. A SOC report will contain the auditor's opinion covering the following areas: "
- If the service organization's description of controls is presented fairly
- If the service organization's controls are designed effectively
- If the service organization's controls are operating effectively over a specified period of time (Type-2 report only)
If the above items have been achieved by the service organization, the service auditor would issue an 'unqualified' opinion. If the above were achieved but the service auditor found significant exceptions (i.e. such that a control objective was either not in place or was not effective), the service auditor would issue a 'modified opinion'. If, however, the service organization materially failed one or more of the above, the service auditor would issue an “adverse” opinion.
No. Only SOC 3 reports can be distributed for marketing purposes. A SOC 3 report ordinarily is a general-use report, which means that management of the service organization may provide the report to anyone.
A SOC audit can only be performed by an independent CPA. CPAs must adhere to the specific standards that have been established by the AICPA and have the technical expertise to perform such engagements.