"Without a standard there is no logical
basis for making a decision or taking action."
Joseph M. Juran
A SOC 1 Report (System and Organization Controls Report) is a report on the internal controls at a service organization that may be relevant to financial reporting.
SOC 1 reports adhere to the Statement on Standards for Attestation Engagements No. 18 (SSAE 18, formerly SSAE 16) which is issued and maintained by the AICPA (American Institute of Certified Public Accountants).
There are two types of SOC 1 reports:
- Type I is a "snapshot" of the situation on a specific date.
- Type II covers a specific pre-defined period, most commonly a full year.
WHO NEEDS SOC 1?
Service providers who deliver managed services, application services, or any type of third-party service would be asked or choose to perform some kind of SOC audit.
Why would you conduct SOC engagement? There are two main reasons for that:
- You are required to furbish SOC 1 report to the company that outsources their services to your organization.
- You want to show that your security posture and practices are adequate so new-comer partners and clients for your services have another reason to choose you.
TALK TO US
The Seven Security Group team for SOC 1 engagements consists of information security professionals (CISA, CISSP, CEH) and Certified Public Accountants (CPA) with the aim to meet all quality auditing and reporting requirements of the specific professional standards established by the AICPA.
Seven Security Group will provide services aimed to assist you throughout the entire SOC 1 engagement, inclusive of activities and consulting services to cover the preparation, remediation, testing and ending with producing the SOC 1 report for you.
Below is an exemplary list of our involvement in a typical SOC 1 project:
- Perform an initial assessment (gap analysis) to identify possible issues.
- Produce the necessary service descriptions.
- Put together a proper management attestation.
- Devise the right combination of controls to meet requirements.
- Testing and report on testing the controls.
- Communicating and getting approval of the report from your management.
- Issuance of final SOC 1 Report.