Effective Use of SOC 1

Why SOC?
Nowadays, it is typical for companies to outsource to a service entity various duties and
responsibilities that are relevant to their business, including functions which are important and essential to
their daily business undertakings. In effect, the organization is able to minimize their costs while
increasing their core competencies. However, the American Institute of Certified Public Accountants
reported that each time user entities outsource tasks from service organizations, the service firms’ risks
also become the user entities’ risks. The increasing demand for outsourcing and the risks associated with
it has led to a more formalized system of monitoring and supervising the processes of service
organizations in the form of Service Organization Controls (SOC) reporting. Through this framework,
service organizations can now acquiesce and satisfy the demands for assurance of user entities and the
user auditors who utilize these reports when assessing and evaluating the user entities’ financial
statements. Among the SOC reports is SOC 1, which is released for activities that adhere to the
Statement on Standards for Attestation Engagements No. 16 (SSAE 16).

Objectives of SOC 1
The primary purpose of SOC 1 is to report controls pertinent to the user entities’ internal controls
over financial reporting. In addition, SOC 1 intends to establish trust and confidence with the service
organizations’ clientele. Having SOC 1 reports is useful not only for user entities, but also for service
organizations in determining the quality of services the service organizations provide. However, the use of
SOC 1 report is limited to the management, their clients, and their clients’ auditors, hence SOC 1 cannot
be utilized as a marketing document (e.g. displaying SOC 1 report on the service organization’s webpage
as a “seal of approval”).

Choosing SOC 1
Since there are three SOC reporting — SOC 1, SOC 2, and SOC 3 — to choose from, ensuring
that the appropriate reporting option will be used is important. SOC 1 is only fitting if the service
organization’s clients and their auditors will utilize this report in planning and conducting a financial
statement audit.

Data Center Providers and SOC 1

According to Chris Schellman, President and Founder of BrightLine, data centers preferred using
SOC 1 reports or have conjugated SOC 1 report with SOC 2 reports. Contrary to beliefs and hearsays,
data centers are not restricted to go for SOC 1 reporting as long as they host systems pertinent to the
internal controls over financial reporting of user entities. Apparently, this has raised some eyebrows since
some people believe and consider that hosting services have no relevance on the said matter. However,
an AICPA webinar has debunked this claim.

User Entities and SOC 1

Generally, SOC 1 is a way for auditor-to-auditor communication. It is, also, a means for service
provider-to-customer communication. As such, user entities can utilize SOC 1 report in furthering their
understanding and grasp on the controls that are devised and realized by service organizations.
Furthermore, user entities can employ these controls as a model in planning and administering their own
controls.

Employee Benefit Plans and SOC 1

 Significant and substantial information related to authorization of new accounts, security of data,
and marketing of investments, among other things, are disclosed in a SOC 1 report.

With SOC 1 reports, plan managements examine and check their controls and ascertain if these
controls are working or not. More so, they will be able to determine the dearth in the controls and look at
the feedback or reactions of the service providers. In effect, the management can create a resolution and
assess if switching to a new service provider is ideal and necessary.

Service Organizations and SOC 1

SOC 1 reports are ideal for service organizations that provide financial transaction processing or
supports transaction processing system. In here, the primary focus of SOC 1 is on financial reporting risks
and internal financial controls. The evaluation period usually for SOC 1 is one year, although it can be
less depending on the situation and the areas under assessment. SOC 1 covers accounting records,
classes of transactions, procedures for processing and reporting, and other data relevant to processing
and handling user transactions.

Security Concerns and SOC 1

A SOC 1 report will inform the users that the system is protected and secured against
unauthorized access and that all confidential information will remain disclosed. In addition, SOC 1 report
will specify whether or not the service provider adheres to the entity’s privacy notice.

Conclusion
From the perspective of the business doing the outsourcing, SOC 1 report is a necessity with
regards to financial auditing and will most likely be requested by the accounting firm. Furthermore, SOC 1
report will allow an entity to closely monitor its vendor to ensure that the entity is receiving quality
services. Moreover, SOC 1 report will allow the entity to evaluate and assess risks associated with
outsourcing not only its financial transactions, but also other important business functions. SOC 1 is
undoubtedly an important risk assessment tool for the user and is a way to hold the service organizations
accountable in providing the services agreed to.