Service Organization Control (SOC) 1 reporting is based on Statement on Standards for Attestation Engagements (SSAE) 16 and verifies a service organization has been through an in-depth audit of the internal control processes including information technology and relevant enterprise-wide controls relating to outsourced services. The focus of a SOC 1 report is on controls at service organizations that are relevant to a user entity's internal control over financial reporting.

Two Types of Reports

A SOC 1 Type I report identifies whether the service organizations’ internal controls in place are appropriately designed as of a specified date in time.   A SOC 1 Type II report identifies whether the service organization’s internal controls are appropriately designed over a specified period of time, usually 6 to 12 months, and if the controls are operating with sufficient effectiveness during the same period of time.

What are the Benefits?

• Independent, third-party assurance of adequate internal controls
• Demonstrates that sound internal control environment over financial reporting data exists
• Builds trust and strengthens relationships with customers
• Eliminates multiple visits from auditors
• Identifies opportunities for improvement in business process and management of information technology operations
• Provides evidence of internal controls effectiveness for annual Sarbanes-Oxley Section 404 compliance

Who Should Consider an SOC 1 Audit?

• Service organizations hosting or processing customer financial statement data
• Closely regulated service organizations who must submit reports on financial reporting internal controls to regulatory agencies

The Rehmann Approach

Phase I — Project Planning

• Develop scope of work
• Define roles and responsibilities
• Gain an understanding of key business processes and related information technology controls

Phase II — Readiness Assessment (if requested)

• Evaluate the business processes and information technology controls
• Identify control deficiencies, if any
• Communicate control deficiencies to management
• Review management’s control remediation
• Assist in compiling documentation to support the description of controls

Phase III — Perform the SOC 1 Audit

• Obtain management’s assertion of the system description and internal controls
• Assess suitability of criteria used by management to prepare its description of controls
• Obtain an understanding of the service organization’s system
• Obtain evidence of management’s description of the service organization’s system
• Obtain evidence of the design of controls
• Obtain evidence of the operating effectiveness of controls (Type II)
• Investigate the nature and cause of deviations, if any
• Prepare the service auditor’s report