Interaction Determines SOC 1 Need

Level of interactivity determines need for SOC 1.


 The type of interaction between user entities and service organizations providing the information technology services is defined by the degree the user is able to monitor the services of the service organization, that are separate from the user entity, and the user entity’s ability to establish controls over those services.  A user auditor may decide that the interaction between the user entity and service organization is sufficient to allow the user entity to establish its own controls and avoid the need for a service organization to perform a SOC 1 audit.

For a user auditor to evaluate the controls of a service organization the auditor should understand the five components of the user entity’s internal control environment; risk assessment process, information and communication system, control activities and monitoring controls. This is necessary to determine if the entity’s internal controls are sufficient and to assess the risk of material misstatements, whether due to error or fraud. This permits the auditor to design the nature, timing, and the requirements of additional audits in accordance with paragraph 40 of Statement on Auditing Standards (SAS) No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (AICPA, Professional Standards, AU sec 314).

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.



Go back to top