SOC 1

SOC 1

Internal Control over Financial Reporting

SOC 1

Organizations increasingly outsource non-core business processes to service organizations. A Service Organization Control (SOC) report in compliance with SOC 1 provides assurance over outsourcing regarding financial processes. The SOC 1 standard is originated due to the growing demand for control over outsourced activities. The outsourced services can be Software-As-A-Service (SaaS) providers, asset managers, data centres, property managers, etc. A FAQ and further detailed information on SOC 1 are outlined below.

Frequently Asked Questions

Why SOC 1?

What are the requirements of SOC 1?

Essentially the requirements are 'free format', however, the governing criteria of a SOC 1 report are the financial reporting process of your customers. Generally, this implies that the General Computer Controls (General IT Controls) are included in the report and all controls focussed on the financial reporting processes, this might also include operational or production processes.

How can my organization fulfill the SOC 1 requirements?

The SOC 1 requirements are limited to general framework requirements only, however general practices for SOC reporting have many different best practices. If an organization does not comply with these best practices, the SOC 1 report might be perceived as a report of poor quality.

Generally, an organization needs to describe the relevant processes, the risk management framework, and a detailed control matrix. In the detailed control matrix, control objectives and control descriptions are included. 

The SOC 1 implementation is best described in accordance with international standards for accountants and specific accountants' jargon. After the description, all procedures and controls need to be in place. This requires uniformity in working procedures, management of the process, and discipline of the organization to comply with these procedures.

What are the costs for a SOC 1 implementation?

This depends on the scale of the operation and the organization. If an organization uses our software solution ControlReports, the costs for a license are EUR 3.090. With a ControlReports license, all the implementation procedures have to be performed by the organization.

The ControlReports license includes the Risklane best practice for risk management framework which is based on more than 25 years of in-depth experience with implementing control frameworks. If internal control knowledge is 'in-house' no further costs will be applicable. For a typical IT client with 50-250 employees, additional consultants are hired for approximately 3-5 days. The average hourly costs for a consultant range from EUR 125-350. 

If an organization decides to hire our consultants to implement the full process, the approximate resources required range from 80 days to 120 days for a typical IT services (SaaS or managed services) client. As mentioned above, the resources required differ per industry, size of the organization, complexity, and the impact of financial and operational processes apart from the General Computer Controls.

Do we need a SOC 1 audit each year?

Generally, yes. Although this is often based on the specific requirements of your customer. Typically, a calendar or fiscal year period under review is required by customers.

SOC 1

Outsourced services require that information from a service organization is acquired to assess and address the risks associated with outsourced services. Service Organization Control (SOC) reports are internal control reports that provide this information. SOC 1 is the standard for assurance on financial processes (or processes with a financial impact for the user organization). A SOC 1 typically includes a risk management framework, a description of controls, and an assurance (audit) opinion of an independent auditor.

Industries

SOC 1 is relevant for organizations providing services to other organizations, e.g. Asset Managers, Pension Services Providers, Software As A Service (SaaS)-providers, Infrastructure As A Service (IaaS)-providers, Platform As A Service (PaaS)-providers, and Data centre Services providers. SOC 1 is relevant if outsourced processes are related to financial processes. If processes relate to General IT Controls (GITC's) an ISAE 3000 or SOC 2 might be more relevant.