Overview of SOC 1 Reporting, Requirements and Upcoming Changes

As most accountants know, a SOC 1 (Service Organization Control) report specifically addresses an organization’s internal controls over financial reporting. SOC 1 reports are restricted-use only, meaning they are available only to the service organization generating the document and its financial auditors. These reports come in two types:

Type 1: This report outlines management’s description of the service organization’s control system, as well as the suitability of the design of controls to achieve management’s internal objectives by a specified date.

Type 2:  Like the Type 1 document, this report also covers management’s description of the service organization’s control system. However, the Type 2 report reviews both the suitability and operating effectiveness of the design of controls to achieve management’s internal objectives throughout a specified period.

All chief financial officers and other accounting and finance leaders should be aware of an upcoming shift in attestation standards that will affect SOC 1 reports, driven by SSAE 18, Attestation Standards: Clarification and Recodification. The most significant change under SSAE 18 is a new vendor management policy, under which organizations must now take greater ownership of monitoring the operating effectiveness on the controls at these subservice providers. This may include reviewing and reconciling SOC reports, holding periodic discussions with vendor organizations, making site visits to those organizations, testing internal controls at those organizations, and monitoring external communications (such as customer complaints relevant to services provided by the vendor).

The new SOC 1 requirements under SSAE 18 are effective for examination reports dated on or after May 1, 2017.

Please contact us for more information on SOC reports or other business accounting issues.

March 31, 2017