SOC 1 Compliance

Decrease Cost, Improve Risk Management and Control

Contact Us

What is a SOC 1 Report?

The System and Organization Control (SOC) 1 report is an examination of a service provider’s controls relevant to their client’s internal control over financial reporting (ICOFR). Formerly known as SSAE 16 and SAS 70, this report now follows the SSAE 18 attestation standard and is most applicable when the service provider performs financial transaction processing or supports a transaction processing system.

Purpose and Use

A SOC 1 report is used by organizations that outsource a specific service or system that likely impacts their internal controls over financial reporting.

SOC 1 Control Objectives

A control objective outlines the target or purpose of a specific group of controls within an organization. SOC 1 control objectives are not pre-defined, and may differ for each organization. The control objectives should cover all major aspects of the organization relevant to the SOC 1 report, and usually consist of both general information technology controls (i.e., logical access, change management, and operations) and business process controls (i.e., completeness and accuracy of transaction processing). Depending on the scope, there can be anywhere between 10 and 30 control objectives in a SOC 1 report.

SSAE 18 Audit Standard

Effective May 1, 2017, SSAE 18 attestation standard applies to SOC 1 examinations. Specifically, AT-C section 320 within the new standard establishes the requirements that supersede SSAE 16. This update is designed to simplify and unify international standards. The changes include a stronger focus on risk assessment, vendor management, and monitoring subservice organizations.

Who Needs a SOC 1 Report?

Organizations that should consider a SOC 1 report include Cloud ERP service providers, financial services, payroll processing, healthcare claims processing, and data center colocation. If your organization plays any role in client financials, then a SOC 1 report may be right for you.

Are SOC 1 Reports Mandatory?

If your organization provides a service that impacts client financials, a SOC 1 report may be required by your organization’s clients or stakeholders. 

Benefits of a SOC 1 Report

A SOC 1 report demonstrates the effectiveness of your processes and procedures to your clients. Not only will this differentiate your organization from competitors, but additional benefits include:

  • Increased level of trust from your clients, resulting in client retention and acquisition;
  • Less need for frequent audits, resulting in decreased cost for your organization;
  • Improved risk management and control; and,
  • Satisfaction of audit requirements

Types of SOC 1 Reports

Type 1 Report

The SOC 1 Type 1 Report (referred to as a point-in-time report), includes an opinion over the suitability of the design of controls at the service organization at a specific point in time. An initial type 1 report often serves as the starting point for subsequent type 2 reviews.

Type 2 Report

The SOC 1 Type 2 Report (referred to as a period of time report) includes an opinion over the suitability of the design of controls at the service organization and the operating effectiveness of the controls throughout a specified period of time. This type of report is often issued annually.

Contact Us for a Free Consultation

We’re here to help you! Speak with a BARR specialist about your security and compliance needs.

Why BARR for SOC Reporting

  • BARR’s SOC clients report services lead to a 70% reduction in customer compliance questionnaires
  • SOC clients spend 75% less time spent on internal resources needed to pass audit
  • Nearly 100% client retention rate
  • Proven practical, adaptive approach that simplifies SOC reporting processes
  • Team members serve on task forces responsible for developing SOC reporting standards
  • Competitive, fixed rates to accommodate growing enterprises

Client Testimonials

Recent Blog Posts

Understand the Key Differences Between ISO 27001 and SOC 2 and Why You Might Need Both

| ISO27000, SOC Reporting | No Comments

With data risk on the rise, you may be questioning which security framework is best for your organization. Two compliance standards to consider are the International Organization for Standards (ISO)…

Company leader sits down to write the system description for their company's SOC 2 report.

Let’s Talk SOC 2 System Descriptions—What They Are and How to Write Them

| SOC Reporting | No Comments

Not sure what to include in your company’s SOC 2 report system description? You’re not alone. Some of the most common questions we get from our clients are related to…

How Long Are SOC Reporting Periods? Here’s What to Expect

| SOC Reporting | No Comments

Today, companies face an unprecedented amount of security challenges, which is why the need for a System and Organization Controls (SOC) report is more important than ever. A SOC report…

Bitcoin

Digital Meets Physical: Crypto ATMs and Best Practices for Operators

| Data Privacy, Risk Management, Security, SOC Reporting, Vulnerability Management | No Comments

BARR Advisory recently partnered with Bitcoin ATM vendor Bitaccess to complete SOC 1 and SOC 2 audits. Bitaccess has more than 3,800 Bitcoin Teller Machines (BTMs) around the world, serving…

Contact Us for a Free Consultation

We’re here to help you! Speak with a BARR specialist about your security and compliance needs.

Contact Us for a Free Consultation

We’re here to help you! Speak with a BARR specialist about your security and compliance needs.