FINRA's BrokerCheck

Svc Org Control 1 Audits

Service Organization Control (SOC) 1 reporting is based on Statement on Standards for Attestation Engagements (SSAE) 16 and verifies a service organization has been through an in-depth audit of the internal control processes including information technology and relevant enterprise-wide controls relating to outsourced services. The focus of a SOC 1 report is on controls at service organizations that are relevant to a user entity's internal control over financial reporting.

Two Types of Reports

A SOC 1 Type I report identifies whether the service organizations' internal controls in place are appropriately designed as of a specified date in time. A SOC 1 Type II report identifies whether the service organization's internal controls are appropriately designed over a specified period of time, usually 6 to 12 months, and if the controls are operating with sufficient effectiveness during the same period of time.

What are the Benefits

  • Independent, third-party assurance of adequate internal controls
  • Demonstrates that sound internal control environment over financial reporting data exists
  • Builds trust and strengthens relationships with customers
  • Eliminates multiple visits from auditors
  • Identifies opportunities for improvement in business process and management of information technology operations
  • Provides evidence of internal controls effectiveness for annual Sarbanes-Oxley Section 404 compliance

Who Should Consider an SOC 1 Audit?

  • Service organizations hosting or processing customer financial statement data
  • Closely regulated service organizations who must submit reports on financial reporting internal controls to regulatory agencies

The Rehmann Approach

Phase I - Project Planning

  • Develop scope of work
  • Define roles and responsibilities
  • Gain an understanding of key business processes and related information technology controls

Phase II - Readiness Assessment (if requested)

  • Evaluate the business processes and information technology controls
  • Identify control deficiencies, if any
  • Communicate control deficiencies to management
  • Review management's control remediation
  • Assist in compiling documentation to support the description of controls

Phase III - Perform the SOC 1 Audit

  • Obtain management's assertion of the system description and internal controls
  • Assess suitability of criteria used by management to prepare its description of controls
  • Obtain an understanding of the service organization's system
  • Obtain evidence of management's description of the service organization's system
  • Obtain evidence of the design of controls
  • Obtain evidence of the operating effectiveness of controls (Type II)
  • Investigate the nature and cause of deviations, if any
  • Prepare the service auditor's report

Thought Leadership

Meet The Rehmann Team

Start typing a name ...
Searching for "{{nameQuery}}"...
Start typing a experience ...
Searching for "{{experienceQuery}}"...
Start typing a location ...
Searching for "{{locationQuery}}"...
Or view a list of team members