Service Organization Control (SOC) 1

Part 1 - General information
Service Organization Control (SOC) 1
SOC 1
American Institute of Certified Public Accountants (AICPA)

Service Organization Control (SOC) 1
Within SOC 1 reports the defined scope includes classes of transactions, procedures for processing and reporting transactions, accounting records, handling of significant events and conditions other than transactions, report preparation relevant to processing and reporting user transactions. The underlying control objectives are defined by the service provider and vary depending on type of service provided. SOC 1 reports conclude about fairness of presentation of management’s description of service organization’s system and suitability of design and effectiveness of the controls to achieve the related control objectives over a specified period. The reports are important components of user entities’ evaluation of internal controls over financial reporting to comply with laws/regulations regarding financial reporting and the user entities’ auditors as they plan and perform audits of the user entities’ financial statements. A SOC 1 report may be certified under Statement on Standards for Attestation Engagements (SSAE) No. 16 issued by American Institute of Certified Public Accountants (AICPA) or under International Standards on Assurance Engagements (ISAE) 3402 issued by International Auditing and Assurance Standards Board (IAASB).
an organisation, one or more services, set of business processes, one or more cloud services

Service Organization Control (SOC) 1
Part 2 - Underlying information security standard or best practices
A. International Standards on Assurance Engagements (ISAE) 3402 International version focus on companies using IFRS, but may also be used by companies using other financial reporting standards. B. Statement on Standards for Attestation Engagements (SSAE) No.16 Minor deviations to ISAE 3402. Replaced the SAS 70 standard. Is intended for US based or SEC relevant companies. It also establishes a new Standard called AT 801. This contains guidance on performing the service auditors’ examination.
ISAE3402 Internat. Auditing and Assurance Standards Board (IAASB) SSAE16 American Institute of Certified Public Accountants (AICPA) AT801 American Institute of Certified Public Accountants (AICPA)
control objectives, detailed technical requirements
Facilities (hardware, cooling, etc), PaaS, IaaS, SaaS, Organization (processes, policies)
purchase for a small fee
no
The standard requires the management of a service organization to set control objectives, in order to have controls in place that affect the internal control over financial reporting (ICFR). The co9ntrol objectives might be individually set, as they refer to the specific service provided within the defined environment and processes. An example might look like: Controls provide reasonable assurance that batch processing transactions are authorized as well as completely and accurately processed. For such a control objectives specific controls need to be designed, in order to comply with the set control objective (design effectiveness). Further the controls need to be implemented, such that an auditor is able to observe, inspect or re-perform the stated control (design effectiveness).
Part 3 - Assessments and certification of compliance
The service organization compiles its control objectives and designs adequate controls The service organization prepares a system and process description on the relevant aspects of the control environment The service organization implements the controls, documents the execution of controls and monitors the execution and documentation The service organization creates a management assertion on the fair presentation of its systems and controls An auditor is engaged to assess that the controls implemented were executed in an agreed period of time in the past (typically one year or six months) The auditor builds an opinion on the fair presentation of the systems and controls and issues the audit report
Certified Public Accountants (CPAs) and their national equivalents are the premier providers of SOC 1 reports for service organizations.
AICPA and their national equivalents (e.g. IDW) certify CPAs and their national equivalents (e.g. WP) required reviewing and signing the compliance report.
audit code/guideline
yes (link below)
no
no
no
no
yes - provide a link to an example
yes (description below)
The SOC 1 has replaced the former SAS 70.
yes (description below)
The SOC 1 report is not a certification. It is issued at a moment in time or covering a period.
Part 4 - Current adoption and usage
SOC 1 or other comparable national equivalents are used at service providers to limit audits through customers. Hence the framework is adopted globally.
global
global
Part 5 - Security objectives