The goal of a SOC 1 report is to provide an independent third-party opinion of the internal controls that may affect a user entity’s financial reporting. The report is designed to provide comfort to the organization’s users and the users’ auditors regarding the controls in place at the organization.
You need a SOC 1 report when:
- Clients want information about your controls over processes that affect their financial statements.
- Clients will provide your report to their financial auditors.
- Clients request details about tests performed on transactions and accounts applicable to their financial reporting, including:
- Payables and receivables
- Payroll and benefits
- Third-party administration
- Loan and payment processing
Auditors provide two types of SOC 1 reports:
SOC 1, Type 1 tells your clients and their accountants that you have accurately described a system, that the described controls are in place, and that the controls as described should achieve your financial control objectives.
SOC 1, Type 2 goes a step further to verify that the controls did indeed function as described during a specified period, describes the tests your accountant performed to make that determination, and the results of those tests.
The SOC 1 (SSAE 18) report, which provides assurance to auditing personnel about the integrity of your system’s controls, replaced the SSAE 16 standard in 2017. Learn more here.