SOC 1 engagements review the processing of transactions by service organizations that affect the internal control over financial reporting of its users, such as banking and insurance processing centers, third party administrators, bank service corporations, account aggregation service providers and item processing centers.
There are two types of reports: a Type 1 and a Type 2. A Type 1 report describes the service organization’s controls at a specific point in time. A Type 2 report includes a detailed testing of the controls over a period of time that is no less than six months.
A SOC 1 report is the best way for a service organization to externally communicate information about its controls to its users. A SOC 1 report can differentiate a service organization from its competitors by demonstrating the establishment of appropriately designed and effective control objectives and control activities.
The specific areas covered by a SOC 1 report will differ according to each individual service organization’s operations. However, in every instance, the report procedures will assess the sufficiency of the design of an organization’s controls and, for a Type 2 report, the procedures will test their effectiveness.
A number of commonly covered areas include:
- Organization & Administration (control environment, human resources, etc.)
- Systems Development & Maintenance
- Logical Security
- Physical Access
- Computer Operations
- Input Controls
- Processing Controls
- Output Controls
The primary factor in determining the cost of a SOC 1 report is the size and complexity of the service organization’s operations. Moreover, a Type 2 report requires additional testing and is more costly than a Type 1.