Spotlight on SOC 1
SOC 1 demonstrates your company’s commitment to accurately ingesting, processing, storing, and reporting your customer’s data—especially if that data is used in your customer’s own financial reporting.
SOC 1 Questions and Answers
How is the scope determined?
Know what is important to your customers:
- Which of their financial reporting processes do you affect?
- What processing do they rely on your service for?
- What are they expected to validate themselves?
- How might your Ops or Tech processes affect their data?
What kind of information is examined by the auditor?
- Process flows are examined to identify the risks that are relevant to your customers
- Configurations, code, and processes are sampled for appropriateness and consistency
- The focus is on the integrity of the data, not the accessibility of it.
What is the expected timing?
- Reports must cover generally at least 9 months of your customers’ fiscal year
- The customer signs their own “bridge letter” for the uncovered months
- Reports must be delivered to your customers prior to their annual financial audit
What do most people wish they had known going into it for the first time?
- The auditor cannot write your controls, yet has to agree that they are sufficient
- The report is organized into Control Objectives (CO), which mitigate your processing risks
- Performing a data flow exercise for each CO is the best way to spot the risks
- Controls must combine to adequately address the risks within each CO
Ready to get started?
Let’s talk about how Modern Assurance can simplify your next SOC or compliance audit.
Email Us