Overview#SOC 1 (Service Organization Controls 1) reports are examination engagements undertaken by a service auditor to report on controls at an organization that provides services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.
SOC 1 reports, which have effectively replaced SAS 70 reports as of June 15, 2011, will be prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on SOC 1. SOC 1 reports retain the original purpose of SAS 70 by providing a means of reporting on the system of internal control for purposes of complying with internal control over financial reporting. SOC 1 reports are restricted use reports, which mean use of the reports is restricted to:
- Management of the service organization (the company who has the SOC 1 performed),
- User entities of the service organization (service organization’s clients)
- the user entities’ financial auditors (user auditor).
The SOC 1 can assist the user entities’ financial auditors with laws and regulations such as the Sarbanes–Oxley Act.
SOC 1 reports enables the user auditor to perform Risk Assessment procedures, and if a Type II report is performed, to assess the risk of material misstatement of financial statement assertions affected by the service organization’s processing.