There are three standards for Service Organization Controls (SOC) established by American Institute of Certified Accounting Professionals (AICPA) for determining the suitability of system design and operating effectiveness of information technology (IT) infrastructures: SOC 1, SOC 2,and SOC 3.

What is a SOC 1 audit?

A SOC 1 audit examines and tests information technology (IT) infrastructures according to the Statement of Standards for Attestation Engagements, SSAE 16- Reporting on Controls at a Service Organization adopted April 2011. The auditor examines internal controls over the processing of financial data and reports the findings to management and the accounting auditor. SSAE 16 requires the same level of evidence and assurance that was expected under the former SAS 70 service auditor engagement. SSAE 16 actually establishes the auditing standards for evaluation that were originally intended for SAS 70. However the standards defined by SAS 70 failed to validate the adequacy of the controls over the processing of financial data.

Two types of SOC 1 reports.

The SOC 1 Type I reports on the accuracy and completeness of management’s description of the IT system or service as well as the suitability of the design of controls as of a specific date. The SOC 1 Type 2 audit includes the Type 1 criteria and reports on the operating effectiveness of the controls throughout a time period of several months.

Who are SOC 1 reports intended for?

No official SSAE 16 or SOC 1 certificate is be issued for publication.  This is a report of the safe guards in place for use internally and by auditors of the financial data.


Leave a Reply

Your email address will not be published. Required fields are marked *

Go back to top