866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

What is the SOC 1 Examination Process? Blog Feature
Molly Rudar

By: Molly Rudar

Print/Save as PDF

What is the SOC 1 Examination Process?

SOC Examinations

Though the timeline of a completed report varies greatly based on numerous factors within your organization, a SOC 1 examination generally always moves through the same three phases of planning and preparation, fieldwork, and reporting stages.

For organizations that have elected to—or have been asked to undergo—a SOC 1 examination, the question of how much time you’ll need to invest is often one of the first questions (along with how much will this investment cost).

Exact timelines are hard to nail down, as your organization's size, chosen report duration, and regulatory requirements can affect the turnaround time—though roughly, you might expect a SOC 1 examination to take anywhere from 10 to 15 weeks (not including optional phases, like a readiness assessment, that can add up to an additional 7-10 weeks).

Despite our providing SOC services for over two decades now, we wouldn’t be able to nail down anything more accurate in terms of what your SOC 1 examination duration would be, but what we can do is explain how your experience would progress.

Because in every SOC 1, you can generally anticipate the same overall process, and in this article, we’re going to break it down and detail each phases’ activities so that you can better set expectations for your next audit experience.

The 3 Phases of a SOC 1 Examination

1. Planning and Preparation

 

As most things do, your SOC 1 examination will begin with an extensive preparation period. While your service auditor does their own planning, you’ll be responsible for defining four important elements:

Assessment Scope

To establish your SOC 1 examination scope, you’ll need to determine what of the following within your organization are relevant to your customers’ financial reporting:

  • Services;
  • Business functions; and/or
  • Systems.

You’ll also need to decide if any subservice organization(s) should be included in the report.

Report Type

When choosing what type of report is appropriate for your organization, you’ll need to consider which would be the most beneficial to your user entities, as well as their auditors:

  • Type 1 Report: Will examine your scope as of a designated point in time that the examination was completed.
  • Type 2 Report: Will examine your scope over a specified period—if you opt for this type, this period should coincide with the financial reporting period of the majority of your customers.

For more details on the differences between report types and how to determine yours, check out our article here.

Examination Date/Period

In our experience, should you choose a Type 2 that constitutes an examination period, most organizations elect for that of either 6 or 12 months, but you can choose any timeframe that best suits the needs of your organization.

System Description and Control Objectives

As it will be reviewed by your auditors to gain an additional understanding of the controls, the system description should be a detailed narrative of your internal controls including the scope, key system elements, and subservice organizations. (NOTE: Writing a thorough system description can reduce the number of inquiries for clarification during the audit.)

Defining your objectives starts with deciding which services or systems will be used in your system description. These objectives must take into consideration regulatory and compliance requirements and must include the types of transactions processed by your organization.

Control objectives should provide details including the control performer(s), frequency, activities, and the source of any information being processed.

For more guidance on how to define your control objectives—including examples—check out our article here.

Readiness Assessment (OPTIONAL)

While you don’t have to undergo a readiness assessment, at Schellman, we typically recommend it ahead of a first-time examination, but there is always added value in conducting one. Readiness assessments are a good way to assess how prepared your organization is for an examination, as they identify areas of improvement you can address for an easier full examination.

Should you opt to include this extra stage, this precursor is typically scheduled for a month or two before fieldwork starts for a Type 1 examination. Similarly, for type 2 examinations, the readiness assessment will be scheduled before your predetermined examination period starts—no matter your report type, the idea is to allow time for your organization to remediate any findings before fieldwork begins.

A readiness assessment will include a review of your description of the system(s) as well as the design of controls for a Type 1 report, and it will additionally include a review of the effectiveness of controls for a Type 2.

2. Fieldwork

 

This is the foremost stage of the examination—fieldwork happens after your planning and readiness assessment, at which point you can expect your service auditor to need and request two things:

  • Meetings with your process and control owners: During these meetings, process and control owners will provide an overview of their processes and the relevant controls, while your service auditors will ask any questions that they may have.
  • Documentation of your controls: As you provide the requested records, your service auditors will review them with the control owners. During the examination, your service auditors formally document the test results—which will be included in a final report—as well as any findings or observations.

Additional requests for evidence and meetings may occur throughout this period to close any potential gaps in your service auditors’ understanding or assessment.

3. Reporting

 

Everything culminates in this final phase of the SOC 1 examination process—reporting. Once the assessment is complete, your service auditor will compile the different report elements—which should include the results of the assessment and any gaps identified—and provide you with a draft copy.

You’ll then have the opportunity to review that draft, make any changes that you find necessary, and approve the contents of the report, which will then be finalized by your service auditor for issuance. Once that’s done, your service auditors will send you the completed SOC 1 report that you can provide to current customers, and don’t forget about your opportunities to maximize this milestone.

Moving Forward with Your SOC 1 Examination

Although the reporting phase does represent the conclusion of one SOC 1 examination, compliance is an ongoing imperative that will see you repeat these same three phases annually. Having read this article, you know what to expect now, but once you’ve actually gone through the process once and gleaned an even better idea of how it works, you’ll then have the opportunity to further streamline your next SOC 1 examination cycle.

But now that you know more about the process, you may still have questions about other factors that play into a SOC 1 examination, and we can help you answer those as well. Make sure to check out our other relevant SOC 1 content so that you can more easily make the necessary decisions and preparations ahead of your experience:

And if you should have further or more specific questions, please don’t hesitate to reach out to us, as our team of experts would be happy to speak to you.

About Molly Rudar

Molly Rudar is a Senior Associate with Schellman & Company, LLC based in Pittsburgh, PA. Prior to joining the firm in 2021, she worked as a Technology Assurance consultant for a public accounting firm specializing in attestation reporting. Molly led and supported numerous projects, including SOC1 reports, agreed-upon procedures, and testing various SEC rulesets. She has over 4 years of experience comprised of serving clients across multiple industries, including financial services, insurance, and utilities. Molly is now primarily working on System and Organizational Control (SOC) report audits for a variety of organizations.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.