Classifications of Reporting

Service Organization Control (SOC) 1 reporting is based on Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization, and verifies a service organization has been through an in-depth audit of the internal control processes including information technology and relevant enterprise-wide controls relating to outsourced services. The focus of a SOC 1 report is on controls at service organizations that are relevant to a user entities’ internal control over financial reporting.

With the implementation of SSAE 16, the AICPA has developed and termed two other reports delivered to service organizations as SOC 2 and SOC 3 reports. These reports verify that a service organization has been through an in-depth audit of the internal control processes related to controls over security, availability, processing integrity, confidentiality, and privacy of non-financial information.   The AICPA and Canadian Institute of Chartered Accountants (CICA) developed the Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy as a standard for completing SOC 2 and SOC 3 services.

Two types of SOC reports

A SOC 1 Type I report identifies whether the service organizations’ internal controls in place are appropriately designed as of a specified date in time.   A SOC 1 Type II report identifies whether the service organization’s internal controls are appropriately designed over a specified period of time, usually 6 to 12 months (can be as few as 2 months for SOC 2 & 3), and if the controls are operating with sufficient effectiveness during the same period of time. 

What are the benefits of a readiness assessment?

• Helps ensure service organizations have sufficient internal controls in place to achieve an unqualified opinion from the independent service auditor.
• Helps service organizations determine if the scope of the SOC audit should be a Type I or Type II report.
• Helps service organizations determine for a Type I report the effective date the controls were placed in operation and for a Type II report what the reporting period should be.

The Rehmann Approach

Phase I — Project Planning

• Develop scope of work
• Define roles and responsibilities
• Gain an understanding of key business processes and related information technology controls

Phase II — Control Evaluation

• Assist in compiling documentation to support the description of controls
• Evaluate the business process controls and information technology controls
• Identify control deficiencies, if any

Phase III — Reporting

• Communicate control deficiencies to management
• Review management’s control remediation plans and timelines for completion
• Prepare the readiness assessment report that includes  management’s remediation plans and timelines for completion