Controls and control objectives are the cornerstones of a SOC 1 report. Control objectives provide a goal from which your auditor can assess the function of your controls.
Determining SOC 1 Control Objectives
When it comes to an internal audit over financial reporting, control objectives usually relate a relevant assertion that states a specific criterion for evaluation of a company’s control procedures in a given area to provide reasonable assurance that any misstatement in regards to the controls would be reliably detected by the controls in a timely manner.
Did you know that a typical SOC 1 report covers anywhere from 10-30 control objectives? Your auditor can help you define these as part of a readiness assessment.
When defining control objectives, it is important to consider what your service organization provides to your clients. For instance, if your objective is to restrict access to critical infrastructure, you may consider taking steps like: installing locks, requiring confirmation of ID, monitor, or logical access systems.
Controls Evaluated by SOC 1
There are 4 types of internal controls that could be examined by your SOC 1 auditor:
- Manual Controls – These refer to controls that depend on a human action, like a manager signing off on a document.
- IT-Dependent Manual Controls – As opposed to Manual Controls that rely solely on human action, IT-Dependent Manual Controls have a digital component, such as administrators who must review user reports in order to assure proper access to systems.
- Application Controls – This one is simple! Any system setting that could be used to detect a problem could be an Application Control.
- IT General Controls – These kinds of controls are usually the main focus of most SOC 1 reports. This kind of control ensures that the right people have access to the right systems, at the right time.
Auditwerx is Your Partner for SOC 1
If you’re ready to find a company that can be a true compliance partner, look no further than Auditwerx. Our seasoned IT audit professionals can guide you through a successful SOC 1 report from readiness to your final report.
If this is your first SOC engagement, it is extremely important to consider a readiness assessment or gap engagement to determine any areas where your controls could be improved, and allow an opportunity for remediation before it impacts your final report.