The Basics of SOC 1®* Controls

Table of Contents

Compliance Questions?

Speak to a Specialist

Key Takeaways

  1. Controls are Cornerstones for Financial Reporting: The primary goal of a SOC 1® report is to evaluate controls related to client financial reporting. Control objectives define the goals against which a service organization’s control procedures are assessed to provide reasonable assurance against misstatements.

  2. Four Types of Internal Controls Evaluated: A SOC 1® assessment can examine four types of internal controls: Manual Controls (human action dependent), IT-Dependent Manual Controls (human review of digital data), Application Controls (system settings for detection), and IT General Controls (system access and security foundations).

  3. IT General Controls (ITGCs) are Key: IT General Controls are often the main focus of SOC 1® engagements. They ensure that authorized personnel have appropriate access to systems at the right time, providing foundational security for the entire control environment.

How PCI DSS v4.0 Impacts Day-to-Day Business Practices

SOC 1®* controls and control objectives are the cornerstones of a SOC 1®* report. Control objectives provide a goal from which your assessor can assess the function of your controls

Determining Your Control Objectives

When it comes to an internal assessment over financial reporting, control objectives usually relate a relevant assertion that states a specific criterion for evaluation of a company’s control procedures in a given area to provide reasonable assurance that any misstatement in regard to the controls would be reliably detected by the controls in a timely manner.  

Did you know that a typical SOC 1® report covers anywhere from 10-30 control objectives? Your assessor can help you define these as part of a readiness assessment.  

When defining control objectives, it is important to consider what your service organization provides to your clients. For instance, if your objective is to restrict access to critical infrastructure, you may consider taking steps like installing locks, requiring confirmation of ID, monitor, or logical access systems. 

Speak to a Compliance Specialist.

Book a free consultation with a specialist to check off your compliance needs. Secure your spot today.
Book a Meeting

Controls Evaluated by SOC 1®*

There are 4 types of internal controls that could be examined by your SOC 1® assessor:

  • Manual Controls – These refer to controls that depend on a human action, like a manager signing off on a document.
  • IT-Dependent Manual Controls – As opposed to Manual Controls that rely solely on human action, IT-Dependent Manual Controls have a digital component, such as administrators who must review user reports in order to assure proper access to systems.
  • Application Controls – This one is simple! Any system setting that could be used to detect a problem could be an Application Control.
  • IT General Controls – These kinds of controls are usually the main focus of most SOC 1 reports. This kind of control ensures that the right people have access to the right systems, at the right time.

Subscribe to our newsletter.

Stay up to date with the latest from Auditwerx.
Sign Up Today

Auditwerx is Your Partner for SOC 1®*

If you’re ready to find a company that can be a true compliance partner, look no further than Auditwerx. Our seasoned professionals can guide you through a successful SOC 1® report from readiness to your final report.  

If this is your first SOC* engagement, it is extremely important to consider a readiness assessment or gap engagement to determine any areas where your controls could be improved and allow an opportunity for remediation before it impacts your final report.

FAQs

Control objectives establish the evaluation criteria for a company’s internal procedures related to client financial reporting. They define the desired goal (e.g., restricting access to critical infrastructure) against which a service organization’s controls are measured to ensure that any financial misstatement would be reliably detected.

A typical SOC 1® compliance engagement usually covers a range of 10 to 30 control objectives, depending on the complexity of the services the organization provides to its clients. These objectives must be carefully defined to align with the services being delivered.

Manual Controls rely entirely on human action (like a manager’s physical signature). IT-Dependent Manual Controls have a digital component, where a human administrator must review reports or data generated by an IT system (like reviewing a system-generated user access report) to ensure proper control function.

A readiness assessment (or gap engagement) is a crucial preliminary step, especially for a first SOC engagement. It helps the organization identify any weaknesses or areas where controls could be improved, allowing for necessary remediation before the formal assessment takes place, thereby mitigating the risk of a negative finding in the final report.

Get a Quote
Lead Gen TBD

About the Author

Picture of Auditwerx Team
Auditwerx Team
Tampa-based Auditwerx has provided over 3,500 security compliance reports to clients nationally and internationally since 2009, leveraging the specialized resources and experts of a top accounting firm for high-quality, personalized service. As a division of Carr, Riggs & Ingram Capital, LLC, Auditwerx offers clients the skills of a large firm—including CISSPs and CISAs—combined with the accessibility of a niche, boutique firm, dedicated to building long-term, transparent partnerships.

Related Content

Gain Deeper Insights