If it is time for another—or maybe your first—report on one of your Service Organization Control (SOC) matters, you may find yourself wondering what type of approach is right for your organization.
Perhaps you have heard of AT Section 101 and SOC 1, but you are slightly foggy as to their specific definitions and purposes. Once you understand the critical roles of each one, you may feel more confident about your upcoming reporting session.
Within the framework established by the American Institute of Certified Public Accountants (AICPA), there are SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity reports. Each report has its own purpose, approach, materials used, goals and professional standard.
Let’s take a closer look at AT Section 101 and SOC 1.
What Is AT Section 101?
The AT Section 101 serves as the professional standard for SOC 2 and SOC 3 reporting and has become an increasingly important section of the Attest Engagements for reporting on controls at service organizations.
The attest function applies to engagements in which an entity engages a certified public accountant—or “the practitioner” to stay in keeping with the language of the Attest Engagements—to issue an examination, a review or an agreed-upon procedures report on specific subject matter regarding a service organization’s internal controls. The section may also be an assertion about the subject matter that is the responsibility of another party.
The AT Section 101, along with any accompanying documentation, serves two primary functions for the practitioner in reporting:
- Provides principal support for the practitioner’s report that includes representation regarding observance of the standards of fieldwork. This function is implicit in the reference in the report to attestation standards, specifically in AT Section 23, entitled Suitability and Availability of Criteria, which states that “The third general standard is—The practitioner must have reason to believe that the subject matter is capable of evaluation against criteria that are suitable and available to users.”
- Assists the practitioner in conducting and supervising the attest engagement.
Attest documentation usually needs to indicate that the process by which the organization has developed its prospective financial statements was considered in the determination of the scope of the examination.
What Is SOC 1?
The SOC 1 is a report on Controls at a Service Organization, relevant to the user entity’s internal control over financial reporting. Originally known as the standard SAS70, which featured Type I and Type II reports, the standard was updated as of May 1, 2017 to what is now know as Statement on Standards for Attestation Engagements 18 (SSAE 18).
A customer working with a service organization will routinely need to have their financial statements audited by their trusted certified public accountant. In such cases, a SOC 1 audit is in order.
Do You Know Whether You Need a Type I or Type II Report for Your Next Soc 1 Audit?
To specialize your reporting even further, the AICPA has broken the SOC 1 down into two different types of reports, which are Type I and Type II. Many organizations struggle to decipher the difference between the two, so we thought it might help to give you a brief synopsis of both SOC 1 Types.
- Type I
- Type II
Technically known as a “Report on Management’s Description of a Service Organization’s System and the Suitability of the Design of Controls,” the Type I report gives you, working as the user auditor, the opportunity to perform critical risk assessment procedures to learn whether you can achieve the related control objectives on a specific date. The report also provides a description of your organization’s system and how it functions to achieve goals you set to serve your customers. With the Type I report, you also receive an opinion on the fairness of your system and the design of the controls.
Officially known as a “Report on Management’s Description of a Service Organization’s System and the Suitability of the Design and Operating Effectiveness of Controls,” the Type II report contains all the same information as the Type I report, but it adds in a different element. The Type II report addresses the design and testing of the controls over a period of time, which is most often six months, as opposed to the specific date used in a Type I report. It also describes the testing performed and the results. This type of report is far more rigorous and intensive than Type I, as it covers a greater span of time and requires that your auditors perform a more thorough investigation of your system’s design and processes.
What are the Key Benefits of the SOC 1 Report?
Following are a few of the key focal points of the SOC 1 report:
- It helps to ensure that you are doing your part to make sure your service organization maintains complete and consistent compliance when it comes to standards, regulations and acts like the Sarbanes-Oxley Act of 2002.
- Each auditing firm provides its own specific “seal of excellence” to SOC 1, Type I and Type II report recipients with unqualified audit opinions. Such professional reinforcements and transparencies can help boost your stakeholders’ and customers’ confidence in your organization, forging better communication that leads to stronger and longer lasting professional relationships.
Are You Confident About What Type of Report And Professional Standards You Need For Your Next Audit?
At I.S. Partners, LLC., our trusted auditors work with these reports and their complex definitions and features each day. However, we certainly understand how our successful clients like you may feel somewhat overwhelmed by the array of reports and professional standards to which you must adhere. Call us at 215-675-1400, request a quote, or launch a live chat to learn more about SOC 1 audits!