Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting: SOC 1 engagements are performed under SSAE 16, Reporting on Controls at a Service Organization. SOC 1 reports are examination engagements undertaken by a service auditor to report on controls at an organization that provides services to user entities when those controls are likely relevant to the user entity’s internal control over financial reporting.
There are two types of SOC 1 Reports:
Type 1 – A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
Type 2 – A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the report throughout a specified period.
Example: How SOC 1 Reports Are Utilized
A user organization engages a service provider to provide certain services that may impact the user organization’s financial statements. When the user organization’s financial statements are audited, their auditor needs information about internal control over financial reporting, including controls at the service provider that affect the user organization’s financial statements.
To obtain that information, the service provider engages a CPA (service auditor) to examine controls at the service provider, resulting in a report with detailed information about those controls. The service auditor’s report includes opinions on whether the description of the service provider’s system is presented relatively and whether management at the service provider that may affect user entities’ financial reporting are suitably designed. A Type 2 report also includes the service auditor’s opinion on whether the controls were operating effectively and describes tests of the controls performed by the service auditor to form that opinion and the results of those tests. The user organization’s financial statements auditor uses the service provider’s service auditor report to obtain information needed to audit the user organization’s financial statements.