Creating a checklist ahead of tackling your first Statement of Standards for Attestations Engagements 18 (SSAE 18) Service Organization Control (SOC) 1 Audit will help make sure things go far more smoothly than if you leave anything to chance. At I.S. Partners, LLC. our auditing team has come up with a checklist we believe will make your first SOC 1 audit much simpler and stress-free for your team.
Why Do You Need to Perform a SOC 1 Audit?
As a service organization, it is important that you maintain certain financial reporting standards in order to account to your clients, which are considered service user entities.
Your SOC 1 audit, prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, will help you and your selected CPA firm assess the effectiveness of the controls at your service organization.
You may need to perform a SOC 1 Audit if you provide services that involve payroll processing, cloud hosting and storage, medical claims processing, and Software-as-a-Service (SaaS).
The practical purpose of the SOC 1 Audit is to generate two primary reports, intended for the management of the service organization, the user entity and the user entity’s auditor. These reports are:
SOC 1 Type I
The Type 1 report provides reasonable assurance that the internal controls of the respective service organization is suitably designed to perform the needed services as of a specified date.
SOC 1 Type II
This is a report on the assurance that the management’s description of the service organization’s system, as well as the suitability of the design and operating effectiveness of the controls, will allow the service organization to achieve the related control objectives noted in the description throughout specified period, according to the American Institute of CPAs (AICPA).
Finding the Right CPA Firm
Armed with your own research and understanding of the SSAE 18 (SOC 1) auditing process—updated from SSAE 16 to SSAE 18, effective May 1, 2017—it is time to find a CPA firm that specializes in SOC 1 Audits that you can trust.
Feel free to do some additional reading on on our page regarding SSAE 18 (SOC 1) services to bolster your understanding of the comprehensive new standards as you launch your search. You may also spend some time reviewing the AICPA website for even more in-depth information to guide you on your CPA firm search.
The first thing you need to do when choosing your first round of potential CPA firms for your SOC 1 Audit is to set the necessary criteria that gives you the confidence to move forward. Following are just a few things to consider during this phase:
Make Sure They Are a Licensed CPA Firm That Handles SOC 1 Audits and Is Familiar with the SSAE 18 Update.
Avoid spending valuable time vetting a firm that does not handle these key reports. While many firms have entered into the regulatory and compliance field regarding service organizations, it is not a guarantee that every firm has, so go ahead and cross this off the list, first and foremost.
Consider CPA Firms within Your Budget.
If your company is small and has a tight budget, you may want to consider smaller local CPA firms for your own comfort and confidence in the process.
Search for a Firm That Focuses on Your Organization’s Specialization.
You may find that your clients appreciate it if you hire a CPA firm that has a more detailed understanding of your work cloud hosting or payroll processing, for example.
Ensure the CPA Firm Has SOC 1 Auditing Experience.
You do not want to choose a CPA firm as green in the SOC 1 auditing process as you are, so be sure to learn how many SSAE 16—and even SAS 70—reports your candidates have performed, as well as their understanding of the new standards set forth in the SSAE 18 Update to ensure that they can ultimately verify and certify that your SOC 1 results are true and complete. Previous reporting assessments can help you properly scope your potential engagement with the firm.
Learn More About the Firm’s Methodology.
Learn what control objectives and related controls that the firm generally uses that go into forming the basis of the SSAE 18 Report. This discussion will also help you determine whether you can meet the stated requirements laid out by the user entities for the audit.
Narrowing Your Search to One or Two Top CPA Firms on Your List
At this point, you are reasonably sure that either of the remaining companies can perform your SOC 1 Audit, adhering to the SSAE 18 standards. Criteria you may use to determine include their methodology, specialization or fees.
Discuss Fees and Payment Options
The SOC 1 audit is invaluable when it comes providing assurances to your clients, but it is a complex project. While fees may vary, according to the size of your company and the auditing firm itself, you can expect to pay at least $13,000 to $15,000, and sometimes significantly higher, per SSAE-16. Ask your potential CPA firms if they offer a fixed rate fee in case your audit becomes more complex or your auditing firm raises its fees during the SOC 1 Audit.
Define the Scope of Your SOC 1 Audit
Once you select your CPA firm, discuss matters that include the physical locations of your audit and how many of those will be included in your audit, the relevant testing period for your audit, and which specific personnel at the service organization need to be involved with the audit. This step will help you get a “big picture” idea of what will happen during the audit and can help prevent confusion and delays.
Set Your Control Objectives and SOC 1 Audit Activities
At this point, sit down with your engaged auditing team to determine the controls and steps that need to be tested before passing them to relevant process owners and stakeholders for review and agreement.
Want to skip over all the fluff and give your cybersecurity team the bare-bones checklist? You’ve got it. Follow the link below to download our simple checklist that will save you time!
Reach Out to Us for Additional Information
We hope this list will get you started in the right direction when preparing for your SOC 1 Audit. If you have additional questions about finding the right CPA firm to take on your project, or if you would like to discuss any other ways our auditing team at I.S. Partners, LLC. can help, contact us today by calling 215-675-1400 or sending us a message online.