PCI DSS 4.0 - Are You Ready? Get a Discount on a Readiness Assessment - Learn More
SOC1 Checklist
Author Picture
Listen to: "How to Find the Right SOC 1 Auditor: a Checklist"

Creating a checklist ahead of tackling your first Statement of Standards for Attestations Engagements 18 (SSAE 18) Service Organization Control (SOC) 1 Audit will help make sure things go far more smoothly than if you leave anything to chance. At I.S. Partners, LLC. our auditing team has come up with a checklist we believe will make your first SOC 1 audit much simpler and stress-free for your team.

Why Do You Need a SOC 1 Audit?

As a service organization, it is important that you maintain certain financial reporting standards in order to account to your clients, which are considered service user entities.

Your SOC 1 audit, prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, will help you and your selected CPA firm assess the effectiveness of the controls at your service organization.

You may need to perform a SOC 1 Audit if you provide services that involve payroll processing, cloud hosting and storage, medical claims processing, and Software-as-a-Service (SaaS).

The Two Types of Reports Generated from a SOC 1 Audit

The practical purpose of the SOC 1 Audit is to generate two primary reports, intended for the management of the service organization, the user entity and the user entity’s auditor. These reports are:

SOC 1 Type I

The Type 1 report provides reasonable assurance that the internal controls of the respective service organization is suitably designed to perform the needed services as of a specified date.

SOC 1 Type II

This is a report on the assurance that the management’s description of the service organization’s system, as well as the suitability of the design and operating effectiveness of the controls, will allow the service organization to achieve the related control objectives noted in the description throughout specified period, according to the American Institute of CPAs (AICPA).

Tips for Finding the Right CPA Firm

Armed with your own research and understanding of the SSAE 18 (SOC 1) auditing process—updated from SSAE 16 to SSAE 18, effective May 1, 2017—it is time to find a CPA firm that specializes in SOC 1 Audits that you can trust.

Feel free to do some additional reading on on our page regarding SSAE 18 (SOC 1) services to bolster your understanding of the comprehensive new standards as you launch your search. You may also spend some time reviewing the AICPA website for even more in-depth information to guide you on your CPA firm search.

The first thing you need to do when choosing your first round of potential CPA firms for your SOC 1 Audit is to set the necessary criteria that gives you the confidence to move forward. Following are just a few things to consider during this phase:

Make Sure They Are a Licensed CPA Firm.

Avoid spending valuable time vetting a firm that does not handle these key reports. While many firms have entered into the regulatory and compliance field regarding service organizations, it is not a guarantee that every firm has, so go ahead and cross this off the list, first and foremost.

Consider CPA Firms within Your Budget.

If your company is small and has a tight budget, you may want to consider smaller local CPA firms for your own comfort and confidence in the process.

Focus on Your Organization’s Niche.

You may find that your clients appreciate it if you hire a CPA firm that has a more detailed understanding of your work cloud hosting or payroll processing, for example.

Review the CPA Firm’s SOC 1 Auditing Experience.

You do not want to choose a CPA firm as green in the SOC 1 auditing process as you are, so be sure to learn how many SSAE 16—and even SAS 70—reports your candidates have performed, as well as their understanding of the new standards set forth in the SSAE 18 Update to ensure that they can ultimately verify and certify that your SOC 1 results are true and complete. Previous reporting assessments can help you properly scope your potential engagement with the firm.

Understand the Firm’s Methodology.

Learn what control objectives and related controls that the firm generally uses that go into forming the basis of the SSAE 18 Report. This discussion will also help you determine whether you can meet the stated requirements laid out by the user entities for the audit.

Narrowing Your List to the Top CPA Firms

At this point, you are reasonably sure that either of the remaining companies can perform your SOC 1 Audit, adhering to the SSAE 18 standards. Criteria you may use to determine include their methodology, specialization or fees.

Discuss Fees and Payment Options.

The SOC 1 audit is invaluable when it comes providing assurances to your clients, but it is a complex project. While fees may vary, according to the size of your company and the auditing firm itself, you can expect to pay at least $13,000 to $15,000, and sometimes significantly higher, per SSAE-16. Ask your potential CPA firms if they offer a fixed rate fee in case your audit becomes more complex or your auditing firm raises its fees during the SOC 1 Audit.

Define the Scope of Your SOC 1 Audit

Once you select your CPA firm, discuss matters that include the physical locations of your audit and how many of those will be included in your audit, the relevant testing period for your audit, and which specific personnel at the service organization need to be involved with the audit. This step will help you get a “big picture” idea of what will happen during the audit and can help prevent confusion and delays.

Set Control Objectives and SOC 1 Audit Activities.

At this point, sit down with your engaged auditing team to determine the controls and steps that need to be tested before passing them to relevant process owners and stakeholders for review and agreement.

Want this Checklist for Your Team?

Want to skip over all the fluff and give your cybersecurity team the bare-bones checklist? You’ve got it. Follow the link below to download our simple checklist that will save you time!

Download the Checklist

Reach Out to Us for Additional Information

We hope this list will get you started in the right direction when preparing for your SOC 1 Audit. If you have additional questions about finding the right CPA firm to take on your project, or if you would like to discuss any other ways our auditing team at I.S. Partners, LLC. can help, contact us today by calling 215-675-1400 or sending us a message online.

Get a Quote Try our Compliance Checker

About The Author

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the form below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235 or book a meeting with one of our experts.

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.


Great companies think alike!

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal