What are the requirements
for a SOC 1 report?
For certification, your organization needs a report describing its risk management and internal control. This report is also known as a Service Organization Control Report (SOC), terminology that originates from the United States (AICPA). If a SOC report concerns outsourced activities, it is referred to as a SOC 1 (US) or ISAE 3402 report. If the report pertains to certification according to a specific standard (e.g., Trust Service Principles), it is called a SOC 2 or ISAE 3000 report. An ISAE 3000 report can also be prepared for compliance with the General Data Protection Regulation (GDPR).
The requirements are listed in the standard, which can be downloaded from the IFAC website.
Broadly, the standard consists of the following parts.
To be ‘certified’ under ISAE 3402, an organization must have a Service Organization Control Report (SOC). A SOC is form-free, meaning the standard does not prescribe specific content. However, various ‘practices’ have emerged. There are also requirements for reports from entities such as De Nederlandsche Bank, sector institutes, or the service organizations themselves. A SOC report is usually divided into two parts: a general part with a description of the organization, the risk management and internal control system, and a ‘control matrix.’ The control matrix includes the control objectives and a description of the control measures that ensure these objectives. The ultimate framework for the ISAE 3402 report is the financial statement. All processes that significantly affect financial processes must be included. Generally, these are all operational, financial processes, and the General IT Controls.
ISAE 3402 Type I or Type II?
There are two types of reports: a Type I and a Type II report. A Type I report provides a snapshot of the control organization at a single point in time. During the audit, the accountant assesses the control measures only on their design and existence. This means the accountant reviews the entire report (SOC) and goes through the processes once. In a Type II report, in addition to design and existence, the effective operation of control measures is also tested by the accountant. Due to the impact of ISAE 3402 on an organization, it is usually chosen to start with a Type I report and implement a Type II in the subsequent period.