In the IT space, the typical manager ensures both long-term and daily strategic management of the hardware and software belonging to the company. Aside from that, the manager must also cultivate relationships with service organizations, especially those whose control environment accentuates the company’s already established risk assessment.
Table of Contents
SOC1 Compliance for Asset Managers
What is the Importance of a SOC1 Report?
A SOC1 report delivers entities that utilize service organizations that are known as user entities, which entail the evaluations of the organization’s controls to the point that the influence the financial reporting of the user entity. In essence, these reports are a promise by a business partner that they are implementing internal controls that help in safeguarding their data environment, which automatically means that they are protecting yours.
What Service Organizations are required to provide a SOC report?
Asset managers must gather information from all the businesses that their organization has outsourced services, for instance, the payroll processing company. Generally, service organizations comprise of cloud service providers, trust services and Software-as-a-Service (SaaS) providers whose functions can influence the internal controls over financial reporting of user entities.
What is the Relevance of SOC1 Reports from Service Organizations to Organizations?
AICPA or the American Institute of Certified Public Accountants is behind the creation of attestation engagements’ auditing standards. In this case, an attestation engagement simply refers to an independent auditor affirming that another individual told the truth during interviews. In the internal audit space, SOC 1 reports may still be referred to as SAS 70’s, a term that was dropped back in 2011.
The relationship between SOC1 reporting and Sarbanes-Oxley (SOX) reporting
Aside from being related to financial reporting or sounding similar, SOX and SOC1 reports play two distinct roles. Also, keep in mind that they are not interdependent even if they may overlap at times.
The Sarbanes-Oxley Act (SOX) was passed into was passed into laws by the US Congress in 2002. The action was owed to the occurrence of multiple public scandals by several large corporations including World Com, Tyco International PLC, and Enron Corporation, which resulted into a stock market plunge, a few months to the 2002 poll. In an effort to restore consumer financial trust, Section 404 of the SOX Act looks at the adequacy and scope of the procedures and internal controls for financial reporting.
On the other hand, SOC1 report aligns in the same manner to SOX 404 compliance. Nevertheless, clients utilize the services offered to assess the service organization controls as opposed to investors evaluating the organization control environment, particularly for operating effectiveness.
SOC1 Report: What is it?
SOC 1 reports are divided into Type I and Type II. Even though a user entity utilizes such reports similarly, they contain different information. In fact, a Type 1 report outlines the service organization’s system as provided by the management’s description of control designs. On the other hand, a Type II report starts the same way as a Type 1 report. However, it then assesses the organization control as well as its usefulness.
What does a SOC 1 bridge letter mean?
Also known as gap letters, SOC 1 bridge letters help in filling in the time gap that exists between the close of an assessment duration and year-end. In this case, the SOC 1 Type II reports help to cover the entire first to the third fiscal quarters.
Since the service organization‘s auditor requires the original report while conducting the interim m internal control assessment, the service organization has to complete the report before the expert comes for auditing. The duration creates a gap in attestation.
After the completing the SOC1 audit, the service organization delivers an update on the internal controls. As such, this bridge letter updates user entities regarding any material alterations, particularly in the control environment.
The scope of the asset manager in SOC 1 reporting
Three asset manager areas are associated with SOC 1 reporting. First, “baseline” entails that the internal control of a user organization regarding other internal controls over financial reporting (ICFR) is common to SOC 1 scope. Alternatively, “not baseline” means that a user organization’s internal control is not common to issued SOC 1 scope. Lastly, “other areas to consider” means that the internal controls not common even though it may be included in the scope.
How automating the SOC 1 Reporting review can simplify vendor management?
Asset managers may need to manage more vendors and assess additional reports as more organizations continue to rely on service organization partners. This consistent documentation and flow of information call for organizations to have repositories to store their data. Various tools including ZenGRC can provide one source of truth that simplifies the collection of audit information. What’s more, such automated GRC tools allow easy cooperation through developing one, accessible location whereby all stakeholders can meet.
Author Bio
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.