Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR)
These reports, prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, are specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.
The SOC 1 examination report includes the following three key components:
1. Management's assertion
As with all SOC reports, an assertion is provided by management. Specifically, the assertion addresses whether
(a) the description of the system and the controls is presented in a clear manner and
(b) the controls within the organizations’ system description were effective to achieve the organization’s system objectives based on the control objectives.
2. Practitioner's report
The second component is a practitioner’s report, which contains an opinion, which addresses both subject matters in the examination. Specifically, the opinion addresses whether
(a) the description of the system and the controls is presented in a clear manner and
(b) the controls within the organizations’ system description were effective to achieve the organization’s system objectives based on the control objectives.
3. Management's description of the service organizations' service system
The last component is a management-prepared narrative description of the service organizations’ service system (description). Of course, BRC will assist the organization’s management in preparing this description. This description should include the relevant aspects of the internal control components:
• Control Environment
• Risk Assessment Process
• Information and communication systems
• Control Activities
• Monitoring Controls
The description provides the context needed for users to understand the conclusions, expressed by management in its assertion and by the practitioner in his or her report.
There are two types of reports for SOC 1 Reports:
- Type 2 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
- Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
Use of these reports is restricted to the management of the service organization, user entities, and user auditors.
Let’s get started today. BRC is ready to help your organization complete a SOC 1 Examination. Contact Ben Hunter III, CPA/CITP, CISA, CRISC, CDPSE, CISM at (336).294.4494 (bhunter@brccpa.com) to get started today.
Ben Hunter, III CISO, Advisory Services Principal, CPA/CITP, CISA, CRISC, CDPSE, CISM
Ben is the Chief Information Security Officer for BRC and is a Principal in our Firm’s Risk Advisory Services Practice. He specializes in Cybersecurity and Information Technology Audits and Assessments. Ben began his cybersecurity career in the US Marine Corps. After becoming a Certified Public Accountant, he continued his cybersecurity and IT Audit training […]