Creating a checklist ahead of tackling your first Service Organization Control (SOC) 1 Audit will help make sure things go far more smoothly than if you leave anything to chance. At I.S. Partners, LLC. our auditing team has come up with a checklist we believe will make your first SOC 1 audit much simpler and stress-free for your team.
Why Do You Need a SOC 1 Audit?
As a service organization, it is important that you maintain certain financial reporting standards in order to account to your clients, which are considered service user entities.
Your SOC 1 audit, prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, will help you and your selected CPA firm assess the effectiveness of the controls at your service organization.
You may need to perform a SOC 1 Audit if you provide services that involve payroll processing, cloud hosting and storage, medical claims processing, and Software-as-a-Service (SaaS).
The practical purpose of the SOC 1 Audit is to generate two primary reports, intended for the management of the service organization, the user entity and the user entity’s auditor. These reports are:
SOC 1 Type I
The Type 1 report provides reasonable assurance that the internal controls of the respective service organization is suitably designed to perform the needed services as of a specified date.
SOC 1 Type II
This is a report on the assurance that the management’s description of the service organization’s system, as well as the suitability of the design and operating effectiveness of the controls, will allow the service organization to achieve the related control objectives noted in the description throughout specified period, according to the American Institute of CPAs (AICPA).
Tips for Finding the Right CPA Firm
Armed with your own research and understanding of the SOC 1 auditing process, it is time to find a CPA firm that specializes in SOC 1 Audits that you can trust.
Feel free to do some additional reading on on our page regarding SOC 1 services to bolster your understanding of the comprehensive new standards as you launch your search. You may also spend some time reviewing the AICPA website for even more in-depth information to guide you on your CPA firm search.
The first thing you need to do when choosing your first round of potential CPA firms for your SOC 1 Audit is to set the necessary criteria that gives you the confidence to move forward. Following are just a few things to consider during this phase:
Make Sure They Are a Licensed CPA Firm.
Avoid spending valuable time vetting a firm that does not handle these key reports. While many firms have entered into the regulatory and compliance field regarding service organizations, it is not a guarantee that every firm has, so go ahead and cross this off the list, first and foremost. We suggest to research as much information as you can, perhaps even to log on to the AICPA website for details information on the SOC auditing process and certifications.
Consider CPA Firms within Your Budget.
If your company is small and has a tight budget, you may want to consider smaller local CPA firms for your own comfort and confidence in the process. Pricing for an SOC 1 audit can vary greatly depending upon the company performing the work and the size of your organization; however, don’t expect to pay any less than $13,000.00 for the audit. You should look for a fixed rate fee so there is no potential for the audit firm to raise its rates on you as the project progresses.
Focus on Your Organization’s Niche.
You may find that your clients appreciate it if you hire a CPA firm that has a more detailed understanding of your work cloud hosting or payroll processing, for example.
Review the CPA Firm’s SOC 1 Auditing Experience.
You do not want to choose a CPA firm as green in the SOC 1 auditing process as you are, so be sure to learn how many SOC reports your candidates have performed, as well as their understanding of the new standards set forth in the SOC framework to ensure that they can ultimately verify and certify that your SOC 1 results are true and complete. Previous reporting assessments can help you properly scope your potential engagement with the firm.
Understand the Firm’s Methodology.
Learn what control objectives and related controls that the firm generally uses that go into forming the basis of the SOC Report. This discussion will also help you determine whether you can meet the stated requirements laid out by the user entities for the audit.
Narrowing Your List to the Top CPA Firms
At this point, you are reasonably sure that either of the remaining companies can perform your SOC 1 Audit, adhering to the SOC standards. Based upon how you feel about each company, the people, the methodology, their previous experience, and of course, cost; you should narrow down your search to the top one or two companies you are looking to engage. Criteria you may use to determine include their methodology, specialization or fees.
Discuss Fees and Payment Options.
The SOC 1 audit is invaluable when it comes providing assurances to your clients, but it is a complex project. While fees may vary, according to the size of your company and the auditing firm itself, you can expect to pay at least $13,000 to $15,000, and sometimes significantly higher. Ask your potential CPA firms if they offer a fixed rate fee in case your audit becomes more complex or your auditing firm raises its fees during the SOC 1 Audit.
Define the Scope of Your SOC 1 Audit
Once you select your CPA firm, discuss matters that include the physical locations of your audit and how many of those will be included in your audit, the relevant testing period for your audit, and which specific personnel at the service organization need to be involved with the audit. This step will help you get a “big picture” idea of what will happen during the audit and can help prevent confusion and delays.
Set Control Objectives and SOC 1 Audit Activities.
At this point, sit down with your engaged auditing team to determine the controls and steps that need to be tested before passing them to relevant process owners and stakeholders for review and agreement. In conjunction with your CPA firm, define the controls to be tested and make sure that they have been reviewed by process owners and any of the stakeholders at the CPA firm who may be reviewing and/or signing off on the report to ensure everyone is in agreement.
Want to skip over all the fluff and give your cybersecurity team the bare-bones checklist? You’ve got it. Follow the link below to download our simple checklist that will save you time!
These steps will set you on your way to getting your SSAE 16 started and should help guide you through some of the challenges of the process. Once you have completed all of the steps we have suggested, you should be able to rely on the knowledge of your CPA firm to take you through a successful audit.
Reach Out to Us for Additional Information
We hope this list will get you started in the right direction when preparing for your SOC 1 Audit. If you have additional questions about finding the right CPA firm to take on your project, or if you would like to discuss any other ways our auditing team at I.S. Partners, LLC. can help, contact us today by calling 215-675-1400 or filling out the contact form below.