Service Organization Control ("SOC") Audit
In today's regulatory-intense marketplace, third party service organizations are noticing more user organization RFPs that require an SOC 1 or SOC 2 audit report to assert that internal controls are appropriately designed and operating effectively, with the primary goal of protecting user organization data and transactions. Those service organizations that can provide an SOC 1 or SOC 2 audit report from an independent CPA firm can differentiate themselves in the marketplace and demonstrate a strong commitment to protecting user organization assets.
Quasar Associates can assist you with your SOC audit readiness and compliance efforts. Our team of experienced associates will provide education regarding SOC audit requirements, assist with readiness assessment, conduct the actual SOC audit, and deliver a corresponding SOC audit report. Our goal is to help you execute your SOC audit in an efficient, affordable manner that will not disrupt your business.
What is an SOC 1 Audit?
A Service Organization Control 1 Audit (“SOC 1 Audit”) is conducted by an independent CPA audit firm under the American Institute of Certified Public Accountants (“AICPA”) Statement on Standards for Attestation Engagements (“SSAE”) number 18 (which superseded prior audit standards “SSAE 16” and "SAS 70"). A SOC 1 audit report provides an independent assessment of a service organization's internal controls and safeguards when that company hosts or processes financial transactions and data belonging to their clients, the user organizations.
Widely recognized as a mark of internal control quality, an SOC 1 audit demonstrates that a service organization has conducted an in-depth audit of their control activities, including entity level, financial and information technology related internal controls. The SOC 1 audit report provides credible proof to your customers and prospects that their critical data and transactions are secure.
Types of SOC 1 Audits
Type I - Officially known as a "Report on Controls Placed in Operation" or an Type I SOC 1 Audit Report, this audit provides an independent verification by a licensed CPA firm as to whether control activities described by the service organization are suitably designed to meet specified control objectives and whether the controls were in place as of a specified review date.
In a Type I SOC 1 audit, the audit firm is verifying that the relevant controls were placed in operation as of a specified date. However, the Type I audit does not verify the operating effectiveness of the controls by testing them over a period of time.
Type II - Officially known as a "Report on Controls Place in Operation and Tests of Operating Effectiveness" or a Type II SOC 1 Audit Report, this audit provides independent third party verification by a licensed CPA firm as to whether control activities described by a service organization are suitably designed to meet specified control objectives and were in place and operating effectively over a period of time that is typically at least a six month period.
Benefits of an SOC 1 Audit
An SOC 1 audit offers many potential benefits to service organizations, such as the following: