Build trust with SOC 1 in 2024

SOC 1 is a reporting framework developed by the American Institute of Certified Public Accountants (AICPA). SOC 1 reports, also known as the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) report, is designed to evaluate the internal controls of a service organisation that are relevant to the financial statements of its customers.

The SOC 1 report provides information about the design and effectiveness of the controls implemented by the service organisation to ensure the reliability of the financial information processed on behalf of its clients. It focuses on controls that are likely to be relevant to the financial reporting of the user entities.

The SOC 1 report helps user entities gain assurance about the service organisation's controls and their impact on the user entities' financial statements. It provides valuable information for auditors and stakeholders who rely on outsourced services to support their financial reporting processes.

The main driver we see for SOC 1 which comes with a financial reporting objective focus, is for publicly listed companies and their associated compliance with Sarbanes Oxley (SOX). That is where publicly listed companies need to prove they have effective internal controls including over the critical systems they use. That includes third-party software, so your publicly listed customers may ask you for a SOC 1 report covering your software as a service.

The service organisation control, sometimes referred to as system and organisational control (SOC) standards has been around for decades. Their earlier use was driven by financial reporting objectives, later termed “SOC 1”. That’s where third parties would rely on IT systems or services, and that would impact their financial statement audits or other financial interests like in asset management or superannuation. 

As reliance on third-party services evolved with the rise in software as a service companies, these reports naturally evolved to being used for assurance over those third-party services even when no direct financial objectives were involved. The Trust Services Criteria were then introduced to better align with the modern needs of third parties that were reliant on security, availability, confidentiality, processing integrity and privacy. This became “SOC 2” to differentiate from the earlier SOC 1 purpose.

A Type 1 report attests to your compliance by design. It’s a snapshot in time that can be achieved by showing you have the right systems and processes in place to satisfy the SOC 1 control objectives. 

A Type 2 report attests to your compliance by both design and operation over a set period of time, usually between 3-12 months, to show your systems and processes have been operating consistently to satisfy the SOC 1 control objectives. 

Usually, a Type 1 report is issued first as baseline compliance. That marks the start of the live and recurring Type 2 audit period for reports issued annually. That is the industry standard but the SOC standards have the flexibility to choose the report dates and periods as desired (usually driven by customers’ expectations that drive the industry-standard approach).

The control objectives in SOC 1 are adaptable to the specific customer requirements, especially if specific financial reporting objectives are required to be covered. A standard SaaS provider’s scope focuses on technology controls and may include the following areas as control objectives:

• Logical Access
• Segregation of Duties
• IT Perimeter Security
• IT Processing
• Change Management
• Backups & Recovery
• Incident Management
• Resilience & Recovery
• Vendor Risk Management