The SOC 1 Examination Process

Do you understand the SOC 1 examination process? Our assessors take you from scoping through report delivery to understand all of the steps needed to complete an examination.

What is a SOC 1 Examination?

The System and Organization Controls (SOC 1) Examination is a commonly requested examination for organizations who impact a customer’s financial reporting. As a licensed CPA firm, A-LIGN has helped companies and organizations of all sizes achieve SOC 1 compliance.

A SOC 1 Examination is designed to supply your organization’s customers with assurance regarding the controls in your environment that are likely to be relevant to their internal control over financial reporting.

There are two types of a SOC 1 report:

SOC 1 Type 1: A SOC 1 Type 1 report tests whether your controls are designed appropriately to achieve control objectives at a specific date in time.

SOC 1 Type 2: A SOC 1 Type 2 report tests not only whether your controls are designed appropriately to achieve control objectives, but also whether they operated effectively over a period of time.

About the SOC 1 Examination Process

The A-LIGN SOC 1 assessment process is composed of five steps. Through every phase, A-LIGN works closely with your organization to determine the appropriate scope and expectations, helping to position you for an optimal outcome in the final assessment.

Step 1: Defining Scope

During the scoping phase, A-LIGN helps your organization determine the control areas and objectives that are critical to performing and safeguarding systems and the scope of service. Together, we’ll work to define the scope and identify relevant control areas including:

Control Area

Control Objective

Information Security Controls provide reasonable assurance that logical access to programs, data and computer resources relevant to user entities’ internal control over financial reporting is restricted to authorized and appropriate users and such users are restricted to performing authorized and appropriate actions.
Physical Security Controls provide reasonable assurance that physical access to a computer and other resources relevant to user entities’ internal control over financial reporting is restricted to authorized and appropriate personnel.
Change Management Controls provide reasonable assurance that changes to application programs and related data management systems are authorized, tested, documented, approved and implemented to result in the complete, accurate and timely processing and reporting of transactions and balances relevant to user entities’ internal control over financial reporting.
Computer Operations – Data Backup Controls provide reasonable assurance that data relevant to user entities’ internal control over financial reporting is backed up regularly and is available for restoration in the event of processing errors or unexpected processing interruptions.
Vendor Management Controls provide reasonable assurance that risks resulting from vendor and third-party relationships are identified, assessed and managed.

Step 2: Preparation and Planning

Following scoping, the managing consultant working with your organization will reach out to walk you through the SOC 1 Examination process and provide an information request list (IRL) relevant to the defined scope.

The IRL maps to standard requirements we traditionally see for the following in-scope areas:

·       Change Management

·       Computer Operations – Data Backup

·       Information Security

·       Physical Security

·       Vendor Management

Before starting the next step, your organization should work through the IRL to provide the requested information and work with the auditors to address any questions you have over specific requests.

As the examination date gets closer, the managing consultant will continue to stay in contact to answer questions and help ensure your organization uploads at least 70% of the requested evidence to our SharePoint site, A-SCEND.

Step 3: Testing and Review of Evidence

Next, the assigned consultant will perform testing. This is done remotely, onsite or a combination of both depending on the scope. The consultant will perform important assessment tasks including:

·       Describing the various sections of the report;

·       Providing feedback on the system description and processes observed

·       Holding meetings with stakeholders to understand the key processes and controls in place

·       Reviewing evidence and perform testing to verify controls are in place

·       Asking clarifying questions regarding the nature of the evidence

·       Requesting any additional artifacts that may have been missed

·       Reporting on system descriptions

Critical Note: It is vital that evidence is uploaded early. If 70% or more of evidence is uploaded before reporting begins, your organization has a higher likelihood of finishing the project on time and receiving a report in a timely manner. Drafting a report cannot begin until all evidence is uploaded.

Step 4: Reporting

Once all evidence has been uploaded to A-SCEND and reviewed and accepted by the A-LIGN team, the reporting phase begins. During this stage, A-LIGN works internally to finalize their review of all testing and prepare the draft report. When the draft report is sent, a management representation letter is also provided that must be signed by an appropriate member of your organization and returned back to A-LIGN.

Step 5: Finalizing the Report

After reviewing the draft report, your comments and suggested updates and the signed management representation letter, A-LIGN addresses any comments, finalizes the report and delivers it to your organization.

Type 2 SOC 1 reports cover a minimum of six months and are valid for one year after being issued. If your organization needs to provide its customers additional verification over the controls environment for a period of time not covered by the most recently completed SOC 1 report, you can request a bridge letter which provides additional verification that controls were in place and operating effectively up to three months following the period end date of your organization’s most recent SOC 1 report.

The A-LIGN Difference

A-LIGN’s experience and commitment to quality helped over 1,300 clients successfully achieve SOC 1 certification. Our vigorous process outlined above helps you prepare for the SOC 1 Examination, and our team of experts are here to answer any question you might have through every step of the process by answering all inquiries within twenty-four hours. With A-LIGN, you’re on the right path to achieving your SOC 1 report.

Interested in pursuing a SOC 1 report for your organization?

Contact A-LIGN at 1-888-702-5446 to speak with one of our cybersecurity and compliance professionals.