Assurance for financial controls

SOC 1 Examinations

The SOC 1 Examination has its roots in SAS 70 reports, but if you remember SAS 70, you’ve probably been at this too long. We remember SAS 70 and pour one out for it occasionally.

assurance for financial controls

Who should get a SOC 1 Examination?

  • Debt Collectors
  • Payroll Processors
  • Claims Processing Organizations
  • Companies that process transactions related to their customers’ financial statement reporting

SOC 1 Examination Scope

You set your scope based upon “Control Objectives” that you define. They should be relevant to what you do to your customers and likely relevant to those checkboxes over there to the right. If you want to talk about your scope, we’ll be happy to humor a call.

Let’s Talk SOC 1 Scope Here

HR and Entity Controls

Here we talk about background checks, security awareness training, confidentiality agreements, performance reviews and risk assessment.

Logical and Physical Access Controls

Here we talk about multifactor authentication. user access management, password controls, and all the encryption things.

Change and IT Operations Controls

Here we talk about how change is inevitable, except from a vending machine. Even if vending, you still should test your code. IT operations includes all the “other” things.

Transaction Processing Controls

So you outsourced something to someone? Great. Let’s talk about how you know that they are able to participate and excel at meeting your customers’ requirements.

Trusted soc 1 audit services

Our Audit Process

We’ve been at this long enough that we can audit our way out of a paper bag. Even as paper bags have increased in overall quality, we have continually surprised ourselves by getting out before the local house cat found us.

01

Scoping and Planning

Before we get too carried away, we get to know you, what you do and what processes impact financial reporting. This lets us tailor our requests to match what you actually do instead of going on a fishing expedition with a shrimp net.

02

Control Testing and Evidence Collection

We leverage our audit portal to provide a list of requests, manage their status and assign them to all the folks you’ve voluntold to help with the audit effort. We provide near real time feedback as you’re submitting evidence to know if you went over, under or hit “the bar”.

03

Reporting and Issuance

This part you usually don’t have to help with – we slip into the back room and count some beans, do some quality assurance and then present you a draft report on a platter. If it looks good, great, we finalize, if not, well… uhh… we do it again.

Building Confidence with soc 1

Pricing for SOC 1 Examinations

Type 1 Examination starting at

$11,900

A Type 1 Examination is as of a point in time. It’s a lower level of assurance than a Type 2, but it’s also a good way to get started for first time SOC 1 goers. Sometimes, the Type 1 will get skipped.

  • SOC 1 Examination as of a Point in Time
  • Assumes fewer than 100 Employees, one system in scope
  • Business Processes not included – add $4,000
Type 2 examination starting at

$17,900

A Type 2 Examination covers the same topics as the Type 1, however, it happens over a 6-12 month period meaning we’ll want to confirm you did the things you said you’d do over that period of time.

  • SOC 1 Examination over a period of time
  • Assumes fewer than 100 Employees, one system in scope
  • Business Processes not included – add $4,000
TALK AT US, PRETTY PLEASE

Questions We Get Asked (or, FAQs)

Here’s a few questions we typically get – if you don’t see what you’re looking for, let us know and we’ll be glad to add it!

A SOC 1 Type 1 report is an examination performed as of a specific point in time. We think of this as something like taking a picture of the family at a holiday. Once you wrangle all of the kids into one place and pose them, you can just keep taking the picture until everyone happens to be smiling. It’s often the starting place for companies going through SOC 1 for the first time and helps to set the stage for the Type 2 examination.

A SOC 1 Type 2 report is an examination performed over a period of time. Going back to the picture analogy, instead of taking a posed picture, you would instead take a video of everyone posing which would allow you to identify who was making funny faces. This provides a much higher level of assurance to your customers and is most likely what they are expecting when asking you for your SOC 1 report. As a service organization, we have found that the biggest leap between the Type 1 and Type 2 reports is the ability to document and evidence what the service organization is doing in a way that it can be reviewed afterward.

For a more explicit breakdown of the differences, we have a blog post right here that explains it well.

The frequency is driven by the businesses’ customers’ requirements. Typically, businesses undergo a SOC 1 on an annual basis.

On June 15, 2022, SSAE 21 superseded SSAE 18. Generally speaking, there were not a significant number of changes related to SOC reports, however, it did require the service auditor to include a statement about their independence within the opinion of the report.

On May 1, 2017, SSAE 18 superseded SSAE 16. Most requirements will remain the same for this transition, however, there is additional guidance and requirements that focus on maintaining a Vendor Management Program, performing periodic Risk Assessments of the business and additional focus on Complementary Subservice Organization Controls.

In some cases, customers will ask you for a SAS70 report as that was once the go-to standard. The SSAE 16 standard superseded it on June 15th, 2011 and SAS 70 reports are no longer allowed to be issued. You may also see the SSAE 16 report called the SOC 1, which is also accurate as they refer to the same thing.

Talk to Us!