For service organizations like payroll processors, claims administrators, or loan servicers, providing assurance over your Internal Controls over Financial Reporting (ICFR) is non-negotiable. Our specialized team helps you navigate SOC 1® requirements and deliver the information your clients and their financial assessors require.
A SOC 1® examination, performed under the Statement on Standards for Attestation Engagements (SSAE) No. 18, is a rigorous assessment of the controls your service organization implements that are relevant to your user entities' (clients') financial statements. This examination is critical for service organizations whose systems handle financial data or impact key financial processes of their clients (e.g., outsourced transaction processing, data hosting for financial records, or claims administration). The resulting SOC 1® report provides assurance to your clients and their financial assessors that the risks related to outsourced services are appropriately managed.
Your SOC 1® report serves as a powerful business enabler and a critical compliance artifact. By providing a single, centralized verification document, it streamlines assessments and ensures that controls relevant to financial data are tested and documented consistently. This approach reduces redundancy by eliminating the need to respond to multiple individual client questionnaires, while simultaneously satisfying the mandatory requirements from user entities and their assessors to evaluate risks associated with outsourced services. The report provides a competitive advantage, differentiating your service offering through a clear, verified commitment to internal control and financial stewardship.
A SOC 1® examination is not mandated by law, but it is typically a contractual or business requirement imposed by your user entities (clients). If the services you provide affect your client's financial records, their own financial assessors will require a SOC 1® report from you to complete their statutory financial assessments.
Completing a SOC 1® requires partnering with a specialized firm like Auditwerx. The overall process involves three core phases: Readiness, Evidence Gathering, and Reporting. The goal is to define the boundaries of the service being provided, document the controls (System Description), test those controls, and ultimately issue a formal report detailing the findings and opinion.
If your organization has already achieved compliance or is working towards compliance with another security framework, you are likely closer to SOC 1® compliance than you realize. Reporting on multiple frameworks during one examination can save you time and money.
SOC 2® / ISO 27001: Controls related to access management, security monitoring, change control, and logical access (often 70-80% of your technical controls) can typically be mapped directly into your SOC 1® report.
PCI DSS: Controls related to network security, firewall configuration, and vulnerability management can significantly contribute to the required IT general controls in your SOC 1® report.
The type of SOC 1® report you pursue depends on the level of assurance your clients require. We guide you in selecting the appropriate report type for your business needs.
Report Type | Focus of the Examination | Assurance Provided | Key Use Case |
Type 1 | Design of Controls | Opinion on the suitability of the design of controls as of a specified date. | Provides a quick snapshot that controls are properly designed to meet control objectives. Often used for first-time reporting. |
Type 2 | Design AND Operating Effectiveness | Opinion on the suitability of the design and the operating effectiveness of controls over a specified period (typically 6 to 12 months). | Provides the highest level of assurance, confirming controls were operational and effective throughout the entire period. This is generally preferred by user entity financial assessors. |
Our methodology focuses on clarity and efficiency, ensuring minimal disruption to your daily operations while securing a high-quality report.
Scoping & Control Definition: We work with your management team to precisely define the System Description, control objectives, and the in-scope systems. This step ensures that only controls relevant to ICFR are included.
Gap Assessment: We perform a preparatory assessment to identify controls of your current operations. Through this process we identify any gaps you may have in your control environment and provide insights as to how this may impact your assessment.
Report Type Selection: We guide you in selecting the appropriate report type: Type 1 (control design as of a date) or Type 2 (operating effectiveness over a period of time).
Evidence Collection: Our team gathers evidence, including policies, procedures, change management logs, and configuration settings, that demonstrate your controls are operating as described.
Control Testing: We test samples of your control activities over the specified period (for a Type 2 report). This involves interviewing key personnel and examining evidence to verify the operating effectiveness of controls.
Report Drafting: Our senior team drafts the comprehensive SOC 1® report, which includes your management’s detailed System Description, our independent description of the tests performed, and the results of our testing.
Opinion Issuance: We issue our final opinion on the fairness of the System Description and the suitability (Type 1) or operating effectiveness (Type 2) of the controls. The final report is delivered to you for distribution to your user entity clients.
Choosing Auditwerx for your SOC 1® examination gives you a distinct advantage. Secure the necessary assurance to retain and attract clients relying on your financial controls.
We are proud to be an independent firm with no conflicts of interest in completing your report.
We focus only on controls and evidence that will score points in the final assessment.
Partner with a single firm throughout your entire compliance lifecycle. Our findings are objective and have no conflicts of interest.
Our U.S. based team of assessment professionals are never outsourced.
200+ years of collective experience translates to the most efficient path to certification, saving you time and money.
We offer flexible integration with leading GRC tools, so you don't have to duplicate evidence.
Any service organization that processes or hosts data that is incorporated into a client’s financial statements requires a SOC 1® report.
Service providers that directly affect the calculation and recording of income, expenses, and asset balances.
Organizations that manage mortgage portfolios, debt collection, or hold assets on behalf of others. Their controls over the accuracy and completeness of loan balances and asset records are critical to client financials.
Companies processing ACH transfers, wire transfers, or fund disbursements, where the reliability of the system directly impacts cash and liability accounts.
Only if they host or manage financially relevant systems (like ERPs, general ledgers, or treasury systems). Their physical and environmental security controls must be assured to protect the financial applications.
Companies managing salary, wages, taxes, and benefits calculations, as these services directly determine the client's personnel expenses and related liabilities.
Organizations holding and managing funds for clients, where controls over segregation of duties and transaction integrity are essential to prevent misstatement.
Firms that provide services for portfolio management, valuation, and performance reporting, which directly feed into the asset valuations on their clients' balance sheets.
SSAE 18 is the current standard for SOC 1® assessments, replacing the older SAS 70 standard. SSAE 18 introduced stricter requirements for service organization management, particularly concerning subservice organization monitoring and the completeness of the System Description. All SOC 1® reports today must be performed under SSAE 18.
This depends entirely on your user entities’ needs:
Choose SOC 1® if your service directly impacts your client’s financial reporting (e.g., transaction processing, outsourced accounting).
Choose SOC 2® if your service handles sensitive customer data or provides a technology-based service where security, availability, or confidentiality is key (e.g., cloud hosting, managed security).
While a Type 1 report is often the starting point for first-time service organizations, most user entities and their financial assessors require a new SOC 1® Type 2 report annually. This annual renewal is necessary to ensure continuous assurance regarding the operating effectiveness of your controls over a specified period.
ICFR stands for Internal Controls over Financial Reporting. In the context of a SOC 1® report, these are the controls that a service organization has in place to ensure that the services provided to clients do not result in material misstatements in the client’s financial statements.
…Both operations and assessment teams executed the engagement flawlessly, on-time and on-budget. The Auditwerx team provided us with the necessary guidance, tools and knowledge...We would highly recommend Auditwerx services to organizations of all sizes and requirement complexities.
...Their team has brought a level of knowledge and professionalism that has been unmatched. Our company is required to undergo a number of assessments annually with various firms and Auditwerx has truly been a pleasure to work with...
...The assessment itself was thorough, but non-disruptive. The team was highly professional and very knowledgeable. We recommend Auditwerx...without reservation.
As part of your overall compliance and assurance strategy, we offer examinations for the entire SOC report family. We can help you determine which report is right for your user base, whether they require financial assurance (SOC 1®) or security and operational assurance (SOC 2® and SOC 3®).
Identifies control gaps and provides a roadmap before the formal examination begins, saving time and money.
Assurance over core technology, security, and operational controls (common for SaaS, hosting, and data centers).
Expands the SOC 2® report to include testing against other compliance frameworks simultaneously.
A brief, general-use report that can be publicly distributed (it does not include detailed control testing).
Our handy guide, “Adding it Up: What Type of SOC Report Do I Need?” is a great starting point to determine what kind of SOC report best fits your company’s business and compliance needs.
When you’re ready to speak with an experienced team member about your reporting needs, Auditwerx will be here for you.
When you’re ready to start your PCI compliance journey, our experienced team will be here to walk you through the entire process, from assessment readiness to your final report.
Fill out this form to schedule a free, no-obligation consultation with an experienced team member.
Tell us a little about what you need, and our team will schedule a no-pressure conversation. No obligations, just answers you need.
Form issues? Contact us directly at [email protected].
