Third-party companies hired to transmit, hold or store the cardholder data of a business’s customers have a grave responsibility. In this age of viruses, ransomware, and data breaches, all service organizations must institute internal controls, policies, and procedures to safeguard the vital information that has been entrusted to them.
To that end, it is strongly recommended that companies perform an annual audit of their systems known as a Systems Organization and Controls 1 (SOC 1) report.
What is a SOC 1 Report?
The well-being of many of today’s businesses is closely linked with the customer data they either hold or out-source to a third-party service organization. In many cases, compromising this information can directly, negatively affect the company’s income statements and balance sheets. A SOC1 audit checklist is designed to be a tool for the responsible stakeholders in your company who are preparing for the SOC 1 auditor’s assessment.
In 2011, the American Institute of Certified Public Accountants (AICPA) developed standards designed to help company officials as they reviewed all of their internal controls, systems, and procedures pertaining to customer data security.
Formerly conducted by the Statement on Standards for Attestation Engagements No. 16 (SSAE audit checklist), this report has been updated and replaced with SSAE 18 and the accompanying SSAE 18 checklist.
The job of the management team charged with gathering and preparing the relevant information before turning over the report to the auditors is to describe in detail the internal controls, policies, and procedures that have been put in place to protect clients’ financially relevant information.
All claims must be backed by solid documentation since it is the auditor’s task to evaluate whether what you have instituted adequately protects the customer’s information and meets SOC 1 requirements. Furthermore, the auditor must determine whether you have represented your systems accurately, fairly, and completely.
SOC 1 Types
SOC 1 reports can either be categorized as type 1 or type 2. Type 1 reports cover fairness of representation and system design and controls’ effectiveness as of a specified date. On the other hand, type 2 audits address the same questions but generally one year for a specified time period.
Service organization managers, stakeholders, and auditors are the only parties authorized to have access to either type of SOC 1 report.
Using a SOC 1 Audit Checklist
Since compiling these reports can be a complex process of juggling several balls at once, many companies find it helpful to use a SOC 1 compliance checklist to ensure that all SOC requirements and SOC 1 controls have been covered. This SSAE 18 audit checklist is a working document that usually spans the following guidance areas:
- Is your company’s organizational structure defined?
- Have you delegated the task of developing policies and procedures to specific employees?
- What are your background screening procedure and employee conduct standards?
- Do employees and other stakeholders learn and understand how to use your systems?
- Are there procedures in place to address changes in a timely and effective way?
- Have you performed a formal risk assessment to identify, analyze and mitigate potential threats to your system?
- Does your organization regularly assess vendor managers?
- Do you annually review all policies and procedures, updating them when necessary?
- Have you implemented physical and logical access controls?
Taking the time to complete a SOC 1 audit requirements checklist can be extremely helpful as you organize your evidence in preparation for working with a CPA on your audit.
Get the Help You Need
If you provide cloud hosting and storage, payroll processing, medical claims processing, or Software-As-A-Service (SaaS), it is quite likely that you need to get a SOC 1 audit. Even if this is clear, you may be wondering how to find the best firm for the job.
Although there are many well-respected resources that you can contact, it makes sense to do so after arming yourself with some information. As you go through the process of gathering the facts about several candidates, review the following questions:
- Is the firm a licensed provider experienced in the SOC 1 audit as well as the SSAE 18?
- Does the firm know about your particular specialty?
- What controls and objectives does the firm employ to perform your review?
- What is the scope of the audit you wish to perform? Consider issues such as the physical location or locations for the audit, the audit’s testing period, and which personnel should be involved. Then specify which controls and procedures will be the focus of the assessment.
Thorough research is key in finding a provider who is best equipped to help you in meeting your SOC 1 audit needs.
Offerings include assistance with your internal policies and procedures, data flow, network diagrams and segmentation, configurations, security architecture, and assistance with all levels of your self-assessment questionnaire. The experienced professionals at TrustNet know the importance of demonstrating all areas of PCI compliance to your valuable customers.
SOC 1 standards have been set forth to make the auditing process clear and useful to service organizations and the companies with whom they do business.
With the right planning and guidance, the reporting process can be one of the most rewarding steps you can take to establish and publicize the credibility of your company’s financially based security controls.