Overview of SOC 1 compliance

Outsourcing is a growing trend and companies increasingly depend on third-party providers to deliver critical services. Ten years ago, companies may have used only one or two major third-party services providers, now often depend on many providers to deliver any number of services.

Third-party providers are becoming an increasingly growing trend in today’s world. Organizations in the past may have only used one or two major third-party services, or providers, but now more recently, organizations often depend on many providers to deliver any number of services, including:

  • Information technology
  • Finance and accounting
  • Customer care
  • Human resource and benefits management
  • Payment and administration
  • Custody
  • Fund administration
  • Transfer agency

As a result of the increased reliance on third-party providers, outsourcing companies are looking for third-party assurance to provide their clients with comfort about their internal control environment. This is where SOC 1 comes into play.

SOC 1 reporting

SOC 1 reports on controls that impact the user entity’s internal controls over financial reporting and are typically used in support of the audit of a client’s financial statements. SOC 1 reports are typically produced using:

  • ISAE 3402 (issued by the International Auditing and Assurance Standards Board) used for service organizations located and operating outside the USA; or
  • SSAE 16 (issued by the American Institute of Certified Public Accountants) used for service organizations located and operating in the USA.

An ISAE 3402 or SSAE 16 engagement is an examination (similar to an audit) of a description produced by the service organization. The description will include business processes impacting the internal controls over financial reporting and include the IT systems in which these business processes operate.

Business process controls

The organization needs to define control objectives and supporting controls for each objective, in order to address the risks of the services or products that the organization provides to its customers. These controls are generally designed and implemented to support the underlying business process of the service/product provided to customers. For example, a payroll SaaS product has a process to onboard new employees and controls would be needed to govern that process and ensure all risks are addressed i.e. all new employees onboarded on the payroll system need to be approved.

Information technology general controls

For any business process, there will always be an IT system supporting that business process. Information technology general controls (ITGC) need to be included as part of the SOC 1 scope. These controls generally include, but are not limited to:

  • Logical access controls
  • Change management controls
  • Network security controls
  • Back up controls

Why do organizations need a SOC 1 report?

One of the main reasons why organizations need a SOC 1 report, is to keep the multitude of user entity auditors at bay. Organizations with 100 customers, for example, will probably have 100 auditors come knocking on their door asking for either a SOC 1 report or to audit their relevant service/product that has an impact on their customer’s financial statements. The latter can be very time-consuming and have a massive strain on the organization’s workforce.