SOC1 ControlsÂ
Â
A type I examination looks at the description or design of controls as of a specified date. The report for a type I includes the same sections as the type II, there is just no testing included outside of a test of one to confirm the description or design of controls.
A type II examination also looks at the design of controls, but additionally includes testing of the operating effectiveness of controls over a period of time. A type II report covers a minimum of six months (there are exceptions to this, but as a general rule six months is the minimum). The goal of an organization is to have the type II cover 12 months and then have annual type II reports to have continual coverage of controls.
If a service organization needs to get an initial report to a client or prospect quickly, the initial report can be a type I to show evidence of controls in place. If there is not a rush to get an initial report out quickly, we generally recommend starting with a type II.
Account Balances - Period End - CompleteSOC1.ICFR.10
Additional Objective 1SOC1.OBJ.1
Additional Objective 5SOC1.OBJ.5
Introduction
SOC 1, or System and Organization Control 1, is a report that verifies an organization's internal controls for financial reporting. SOC 1 reports are often provided to customers, their auditors, and the service organizations themselves.Â
SOC 1 reports are important for businesses that:
- Handle financial or non-financial information for clientsÂ
- Interact with financial information for customers or business partnersÂ
- Manage financial data or handle financial reporting for usersÂ
- Require their vendors to be compliantÂ
SOC 1 reports provide assurance that a service organization's processing of transactions and data is consistent and reliable. They also help companies communicate their risk management and controls framework to stakeholders.Â
There are two types of SOC 1 reports:
- SOC 1 Type 1:Â Documents controls at a single point in timeÂ
- SOC 1 Type 2:Â Documents controls over a period of time (typically 3-12 months)Â
SOC 1 vs SOC 2 Reports
SOC 1 Reports
A SOC 1 report falls under the Statement on Standards for Attestation Engagements (SSAE) 18 AT-C 320 (formerly SSAE 16 or AT 801). It is named a SOC 1 versus the name of the standard (reports are NOT called SSAE 18s). A SOC 1 report has a financial focus that includes a service organization’s controls relevant to an audit of a service organization’s client’s financials. The service organization (with the assistance of the auditors) will figure out what the key control objectives are for the services they are providing to their clients. Control objectives will be related to both information technology processes and business processes at the service organization.SOC 2 Reports
A SOC 2 report also falls under the SSAE 18 standard AT-C 105 and the SSAE 21 standard AT-C 205. The SOC 2 report includes a service organization’s controls that are outlined by the AICPA’s Trust Services Criteria (TSC), and that are relevant to its services, operations, and compliance. There are five available criteria that include security, availability, processing integrity, confidentiality, and privacy. The security criteria, which are also referred to as the common criteria, are the only required criteria to be included in the SOC 2. The difference between SOC 1 and SOC 2 in reference to these controls and criteria are as follows:- In a SOC 2, controls meeting the criteria are identified and tested.
- In a SOC 1, controls meeting the identified control objectives are tested.
A service organization can choose a SOC 2 report that includes just the security/common criteria, all five criteria, or a combination of the five criteria. The interested readers of the SOC 2 report may also be compliance officers, financial execs, and financial auditors, but could also be an organization’s IT execs, regulators, or partners.
In summary of the comparison of SOC 1 vs. SOC 2 reports:
In summary of the comparison of SOC 1 vs. SOC 2 reports:
- The SOC 1 addresses internal control relevant to a service organization’s client’s financial statements.
- The SOC 2 report addresses a service organization’s controls that are relevant to its operations and compliance, as outlined by the AICPA’s Trust Services Criteria (TSCs).
A type II examination also looks at the design of controls, but additionally includes testing of the operating effectiveness of controls over a period of time. A type II report covers a minimum of six months (there are exceptions to this, but as a general rule six months is the minimum). The goal of an organization is to have the type II cover 12 months and then have annual type II reports to have continual coverage of controls.
If a service organization needs to get an initial report to a client or prospect quickly, the initial report can be a type I to show evidence of controls in place. If there is not a rush to get an initial report out quickly, we generally recommend starting with a type II.
SOC1 Controls in SG
Agreed Upon ObjectivesSOC1.A
2
Agreed Upon ObjectivesSOC1.A.1
2
Objectives should be reviewed and agreed upon by company leadership and CPA partner.
Internal Controls over Financial ReportingSOC1.ICFR
0
ReconciliationsSOC1.ICFR.1
0
Controls provide reasonable assurance that cash and security positions are completely and accurately reconciled between the application and the depositories in a timely manner.
Transactions and Events During a Period - AuthorizedSOC1.ICFR.2
0
Controls provide reasonable assurance that transactions are authorized and received only from authorized sources.
Transactions and Events During a Period - AccurateSOC1.ICFR.3
0
Controls provide reasonable assurance that transactions are entered, processed, recorded and reported in a accurate manner.
Transactions and Events During a Period - CompleteSOC1.ICFR.4
0
Controls provide reasonable assurance that transactions are entered, processed, recorded and reported in a complete manner.
Transactions and Events During a Period - TimelySOC1.ICFR.5
0
Controls provide reasonable assurance that transactions are entered, processed, recorded and reported in a timely manner.
Transactions and Events During a Period - ValidSOC1.ICFR.6
0
Controls provide reasonable assurance that transactions are validated in complete, accurate, and timely manner.
Account Balances - Period End - Rights and ObligationsSOC1.ICFR.7
0
Controls provide reasonable assurance that asset and liability balances relate to rights or obligations of the user entity.
Account Balances - Period End - AccurateSOC1.ICFR.8
0
Controls provide reasonable assurance that asset, liability and equity interest balances are reported in accurate amounts.
Transactions and Events During a Period - ReportedSOC1.ICFR.9
0
Controls provide reasonable assurance that transactions are recorded and reported in the proper accounts.
Account Balances - Period End - CompleteSOC1.ICFR.10
0
Controls provide reasonable assurance that balances represent all asset, liability, and equity interest balances that should have been recorded.
Account Balances - Period End - ClassifiedSOC1.ICFR.11
0
Controls provide reasonable assurance that balances represent valid asset, liability, and equity interest balances and are classified properly.
Additional ObjectivesSOC1.OBJ
0
Additional Objective 1SOC1.OBJ.1
0
Refer to OBJ-1 in agreed upon list of objectives.
Additional Objective 2SOC1.OBJ.2
0
Refer to OBJ-2 in agreed upon list of objectives.
Additional Objective 3SOC1.OBJ.3
0
Refer to OBJ-3 in agreed upon list of objectives.
Additional Objective 4SOC1.OBJ.4
0
Refer to OBJ-4 in agreed upon list of objectives.
Additional Objective 5SOC1.OBJ.5
0
Refer to OBJ-5 in agreed upon list of objectives.
General Business ProcessSOC1.GBP
6
Customer ImplementationSOC1.GBP.1
0
Controls provide reasonable assurance that new customers are set up accurately and completely, according to the contractual agreement.
Data InputSOC1.GBP.2
1
Controls provide reasonable assurance that data input controls ensure the processing and accuracy of output files.
Human ResourcesSOC1.GBP.3
2
Controls provide reasonable assurance that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. Controls ensure the reduction in risk of theft, fraud, and misuse of facilities.
Organization and AdministrationSOC1.GBP.4
3
Controls provide reasonable assurance that management provides oversight, segregates duties, and guides consistent implementation of security practices.
IT General ControlsSOC1.ITGC
45
Change ManagementSOC1.ITGC.CM
13
Computer OperationsSOC1.ITGC.CO
15
Information SecuritySOC1.ITGC.IS
17
Application Service ProviderSOC1.ASP
3
Transaction RecordingSOC1.ASP.1
0
Controls provide reasonable assurance that client transactions are initially recorded completely, accurately, and in a timely manner.
Transaction Processing - TimelySOC1.ASP.2
0
Controls provide reasonable assurance that client transactions are processed in a timely manner and reported in accordance with client-specific business rules.
Customer SupportSOC1.ASP.3
0
Controls provide reasonable assurance that production and business problems are identified, recorded, analyzed, and resolved completely and in a timely manner.
System AvailabilitySOC1.ASP.4
2
Controls provide reasonable assurance that system availability is monitored and issues are identified and resolved on a timely basis.
New Customer SetupSOC1.ASP.5
0
Controls provide reasonable assurance that new customers are established on the system in accordance with the applicable contracts and requirements.
Customer MaintenanceSOC1.ASP.6
0
Controls provide reasonable assurance that maintenance instructions are properly authorized, recorded completely and accurately, and processed timely.
Transaction Processing - ValidSOC1.ASP.7
0
Controls provide reasonable assurance that invalid transactions and errors are identified, rejected, and correctly re-entered into the system in a timely manner.
Transaction Processing - CompleteSOC1.ASP.8
1
Controls provide reasonable assurance that the contents of data files remain complete and accurate, and the correct versions of all data files are used in processing.
Claims ProcessorSOC1.CP
0
Claim PaymentsSOC1.CP.1
0
Controls provide reasonable assurance that adjudicated claims are paid in a complete, accurate, and timely manner.
Claim Payments and Billing Operations - AuthorizedSOC1.CP.2
0
Controls provide reasonable assurance that customer invoices and funding requests are authorized and processed in a complete, accurate, and timely manner.
Claim Payments and Billing ReportsSOC1.CP.3
0
Controls provide reasonable assurance that reports provided to customers are complete, accurate, and timely.
Claims Receipts and Adjudication - AuthoroizedSOC1.CP.4
0
Controls provide reasonable assurance that claims are received only from authorized sources.
Claims Receipts and AdjudicationSOC1.CP.5
0
Controls provide reasonable assurance that claims received are entered in a complete, accurate, and timely manner.
Claims Receipts and Adjudication - AdjustmentsSOC1.CP.6
0
Controls provide reasonable assurance that claim adjustments are authorized and processed in a complete, accurate, and timely manner.
Claims Receipts and Adjudication - OtherSOC1.CP.7
0
Controls provide reasonable assurance that claim actions for subrogation, coordination of benefits, and other recoveries for submitted claims are processed in a complete, accurate, and timely manner.
EnrollmentSOC1.CP.8
0
Controls provide reasonable assurance that enrollment and eligibility information received from customers is authorized and processed in a complete, accurate, and timely manner.
Groups or CustomersSOC1.CP.9
0
Controls provide reasonable assurance that group and benefits contracts are authorized and that contract terms are established and maintained in a complete, accurate, and timely manner.
ProvidersSOC1.CP.10
0
Controls provide reasonable assurance that provider contracts are authorized and provider data is established and maintained in a complete, accurate, and timely manner.
Defined Contribution PlanSOC1.DCP
0
Asset Purchases and RedemptionSOC1.DCP.1
0
Controls provide reasonable assurance that asset purchase and redemption transactions are authorized and complete, accurately traded, and recorded in a timely manner.
Client OnboardingSOC1.DCP.2
0
Controls provide reasonable assurance that client information and data is imported securely during onboarding to the organization’s private system.
Contributions and Loan PaymentsSOC1.DCP.3
0
Controls provide reasonable assurance that contributions and loan payments are authorized and completely and accurately processed and recorded in a timely manner.
Defined Contribution Plan SetupSOC1.DCP.4
0
Controls provide reasonable assurance that defined contribution plans set up on the application are authorized by plan sponsors and completely and accurately processed and recorded in a timely manner.
FeesSOC1.DCP.5
0
Controls provide reasonable assurance that requests for new fee setup, changes, corrections, terminations, and reversals are completely and accurately processed and recorded in the application in a timely manner.
Investment IncomeSOC1.DCP.6
0
Controls provide reasonable assurance that investment income, dividends, corporate actions, and participant account values are completely and accurately calculated, processed, and recorded in a timely manner.
Invoice RoutingSOC1.DCP.7
0
Controls provide reasonable assurance that invoice routing functionality is accurate.
Loan RequestsSOC1.DCP.8
0
Controls provide reasonable assurance that loan requests are authorized and completely and accurately processed and recorded in a timely manner.
New Fund Setup and ChangesSOC1.DCP.9
0
Controls provide reasonable assurance that new funds and changes to funds are authorized and completely and accurately implemented in a timely manner.
Participant AdministrationSOC1.DCP.10
0
Controls provide reasonable assurance that participant enrollments and changes to participant data are authorized, and completely and accurately processed and recorded in a timely manner.
Plan AdministrationSOC1.DCP.11
0
Controls provide reasonable assurance that changes to plan data are authorized, and completely and accurately processed and recorded in a timely manner.
Plan and Participant Statement ReportingSOC1.DCP.12
0
Controls provide reasonable assurance that plan and participant statements are accurate, complete, and provided to or sent to the plan sponsors or participants in a timely manner in accordance with contractual agreements.
Plan Distributions and PaymentsSOC1.DCP.13
0
Controls provide reasonable assurance that plan distributions and payments to participants are authorized and completely and accurately processed and recorded in a timely manner.
Transfers and Changes in Investment AllocationsSOC1.DCP.14
0
Controls provide reasonable assurance that participant-initiated transfers and changes in investment allocations are authorized and completely and accurately processed and recorded in a timely manner.
Investment ManagerSOC1.IM
0
Account Statements and Client ReportsSOC1.IM.1
0
Controls provide reasonable assurance that account statements and client reports detailing client account holdings and market values are complete, accurate, and provided to clients in a timely manner.
Confirmation, Affirmation, or SettlementSOC1.IM.2
0
Controls provide reasonable assurance that investments are settled in a complete, accurate, and timely manner.
Confirmation, Affirmation, or Settlement - InformedSOC1.IM.3
0
Controls provide reasonable assurance that custodians are informed of transactions in a complete, accurate, and timely manner.
Corporate ActionsSOC1.IM.4
0
Controls provide reasonable assurance that corporate action notices are identified and received from an authorized source and are updated in the system in a complete, accurate, and timely manner.
Custodian ReconciliationSOC1.IM.5
0
Controls provide reasonable assurance that security positions and cash balances reflected in the portfolio accounting system are reconciled in a complete, accurate, and timely manner to actual positions and balances held by custodians.
Investement Management FeesSOC1.IM.6
0
Controls provide reasonable assurance that investment management fees and other expenses are authorized, calculated, and recorded in a complete, accurate, and timely manner.
Investment Income - Authorizeded SourceSOC1.IM.7
0
Controls provide reasonable assurance that interest, dividend, and other income information is received from an authorized source and recorded in a complete, accurate, and timely manner.
Investment Income - Cash ProcessingSOC1.IM.8
0
Controls provide reasonable assurance that cash received for interest and dividends is processed in a complete, accurate, and timely manner.
Investment Transaction ProcessingSOC1.IM.9
0
Controls provide reasonable assurance that investment transaction instructions are authorized and entered into the system in a complete, accurate, and timely manner.
Investment Transaction Processing - GuidelinesSOC1.IM.10
0
Controls provide reasonable assurance that portfolio guidelines are monitored and exceptions are identified and resolved in a complete, accurate, and timely manner.
Investment Transaction Processing - AllocationsSOC1.IM.11
0
Controls provide reasonable assurance that allocations are approved by a portfolio manager.
Investment Transaction Processing - Block OrdersSOC1.IM.12
0
Controls provide reasonable assurance that block orders are allocated to clients on a pro rata basis for equity trades and a predetermined allocation for fixed-income trades.
Loans - AuthorizedSOC1.IM.13
0
Controls provide reasonable assurance that loans and collateral are authorized and processed and recorded in a complete, accurate, and timely manner.
Loans - InvestmentSOC1.IM.14
0
Controls provide reasonable assurance that collateral on loans is invested in accordance with the lender agreement and recorded and monitored in a complete, accurate, and timely manner.
Loans - RepaymentsSOC1.IM.15
0
Controls provide reasonable assurance that loan repayments are processed and recorded completely, accurately, and in a timely manner.
Money MovementSOC1.IM.16
0
Controls provide reasonable assurance that money movement (receipts and disbursements) is authorized and processed in a complete, accurate, and timely manner.
Net Asset ValuationSOC1.IM.17
0
Controls provide reasonable assurance that net asset values are authorized and calculated in a complete, accurate, and timely manner.
New Account Setup and Administration - AuthorizedSOC1.IM.18
0
Controls provide reasonable assurance that new accounts are authorized and set up in accordance with client instructions and guidelines in a complete, accurate, and timely manner.
New Account Setup and Administration - ModificationsSOC1.IM.19
0
Controls provide reasonable assurance that account modifications are authorized and implemented in a complete, accurate, and timely manner.
New Account Setup and Administration - ReconciliationSOC1.IM.20
0
Controls provide reasonable assurance that new account holdings and cash are reconciled to custodian bank statements in a complete, accurate, and timely manner.
Securities PricingSOC1.IM.21
0
Controls provide reasonable assurance that security prices are received from an authorized source and updated in a complete, accurate, and timely manner.
Securities SetupSOC1.IM.22
0
Controls provide reasonable assurance that new securities and changes to existing securities are authorized and entered in the security master file in a complete, accurate, and timely manner.
Pricing OverridesSOC1.IM.23
0
Controls provide reasonable assurance that price overrides are authorized and processed in a complete, accurate, and timely manner.
No comments:
Post a Comment