What Is an AICPA SOC 1 Report for a Service Organization?

A System and Organization Controls (SOC) 1 report allows companies that perform outsourced services to demonstrate they have adequate internal controls relevant to their clients’ financial reporting. Governed by the American Institute of Certified Public Accountants (AICPA), these reports are the result of an examination by an independent Certified Public Accountant (CPA) firm. For example, if a company outsources its payroll processing, its financial auditors need assurance that the processor is handling everything correctly, as this directly impacts the company’s financial statements. The CPA firm assesses the service organization’s systems and provides a formal opinion on its control environment under the Statement on Standards for Attestation Engagements (SSAE) No. 18.

Core Concepts of a SOC 1 Report

A SOC 1 report is for any service organization whose activities can affect a client’s financial statements, such as businesses providing payroll processing, medical billing, or data hosting for financial applications. A client’s auditors use the SOC 1 report as part of their risk assessment procedures. This can potentially reduce the need for them to perform their own detailed testing of the service organization’s controls.

The AICPA framework provides for two distinct types of SOC 1 reports. A Type 1 report evaluates the design of a service organization’s controls at a single point in time, like a snapshot. It answers whether the described controls are designed appropriately to meet stated objectives on a specific day and can be useful for an organization’s first SOC examination or when clients need less detailed assurance.

A Type 2 report assesses both the design of the controls and their operating effectiveness over a period of six to twelve months. This is more like a video, showing that controls functioned as intended throughout the review period. A Type 2 report provides a higher level of assurance and is what most clients and their auditors expect to receive.

The choice between a Type 1 and Type 2 report depends on the service organization’s maturity and client demands. A new provider might start with a Type 1 report to establish a baseline. However, established providers, especially those serving publicly traded companies subject to Sarbanes-Oxley (SOX) requirements, will almost always need a Type 2 report to satisfy client audit requirements.

Preparing for a SOC 1 Examination

Preparation for a SOC 1 examination begins long before the auditor starts fieldwork. The first step is defining the report’s scope. Management must determine which services, systems, business processes, and physical locations will be included in the examination. For example, a cloud service provider might include certain data centers while excluding others, or focus on a particular software platform.

After defining the scope, the organization develops its control objectives, which are the high-level goals for the internal controls. A common objective is ensuring logical access to systems is restricted to authorized personnel. The organization must identify all objectives relevant to the services covered in the report to address risks to their clients’ financial reporting.

A preparatory document is the system description, a detailed narrative written by management explaining the system being examined. It must describe the services, infrastructure, software, personnel, procedures, and data involved. The description must be comprehensive enough for a report user to understand the transaction flow and how the control environment manages risk.

Finally, the organization must document its controls and link them to the control objectives. This often involves creating a matrix that maps each control activity, like a quarterly user access review, to the objective it supports. The company must also gather evidence for the auditor, such as policy documents, procedure manuals, and system logs.

The Examination Engagement

The formal examination engagement with an independent CPA firm begins with the auditors conducting their own planning and confirming the scope. The audit team reviews the system description prepared by management to ensure it accurately represents the services and control environment being examined. This phase sets the groundwork for all subsequent testing.

The next phase is fieldwork, where the auditor tests the controls. For a Type 1 report, this process focuses on verifying the system description and confirming the design of controls as of the report date. Auditors conduct inquiries with personnel, inspect documents, and perform process walkthroughs to validate that controls are implemented as described and are suitably designed to achieve the stated control objectives.

For a Type 2 report, fieldwork also tests the operating effectiveness of controls over the review period. In addition to Type 1 procedures, auditors select samples of transactions or events to test. For example, to test change management controls, they might select a sample of system changes and examine the associated request forms, approvals, and testing evidence for each.

After fieldwork, the engagement moves to the reporting phase. The CPA firm drafts the SOC 1 report, including its formal opinion and detailed test results. The service organization’s management reviews the draft for factual accuracy before the CPA firm issues the final, signed report.

Components of the Final SOC 1 Report

The final SOC 1 report is a structured document with several sections. Section I is the Independent Service Auditor’s Report, which contains the CPA firm’s opinion, the conclusion of their examination. An “unqualified” opinion is the best possible outcome, stating the system description is fair and controls are suitably designed (and operating effectively for a Type 2). Other opinion types include qualified, adverse, or a disclaimer of opinion.

Section II is the Service Organization’s Assertion, a written statement from management. In it, management attests to the accuracy of its system description. Management asserts that controls were suitably designed for both report types, and for a Type 2 report, they also assert the controls operated effectively during the specified period.

Section III contains the Service Organization’s Description of its System. This narrative provides the context to understand the services, transaction flow, and control environment. The fairness of this description is one of the elements covered by the service auditor’s opinion.

Type 2 reports include Section IV, which details the Service Auditor’s Tests of Controls and Results. This section is presented as a matrix listing each control objective, the supporting controls, the auditor’s tests, and the results. This allows user auditors to see the evidence supporting the opinion on operating effectiveness.