What is the SOC 1 Examination Process?
Though the timeline of a completed report varies greatly based on numerous factors within your organization, a SOC 1 examination generally always moves through the same three phases of planning and preparation, fieldwork, and reporting stages.
For organizations that have elected to—or have been asked to undergo—a SOC 1 examination, the question of how much time you’ll need to invest is often one of the first questions (along with how much will this investment cost).
Exact timelines are hard to nail down, as your organization's size, chosen report duration, and regulatory requirements can affect the turnaround time—though roughly, you might expect a SOC 1 examination to take anywhere from 10 to 15 weeks (not including optional phases, like a readiness assessment, that can add up to an additional 7-10 weeks).
Despite our providing SOC services for over two decades now, we wouldn’t be able to nail down anything more accurate in terms of what your SOC 1 examination duration would be, but what we can do is explain how your experience would progress.
Because in every SOC 1, you can generally anticipate the same overall process, and in this article, we’re going to break it down and detail each phases’ activities so that you can better set expectations for your next audit experience.
The 3 Phases of a SOC 1 Examination
1. Planning and Preparation
As most things do, your SOC 1 examination will begin with an extensive preparation period. While your service auditor does their own planning, you’ll be responsible for defining four important elements:
To establish your SOC 1 examination scope, you’ll need to determine what of the following within your organization are relevant to your customers’ financial reporting:
You’ll also need to decide if any subservice organization(s) should be included in the report.
When choosing what type of report is appropriate for your organization, you’ll need to consider which would be the most beneficial to your user entities, as well as their auditors:
For more details on the differences between report types and how to determine yours, check out our article here.
In our experience, should you choose a Type 2 that constitutes an examination period, most organizations elect for that of either 6 or 12 months, but you can choose any timeframe that best suits the needs of your organization.
System Description and Control Objectives
As it will be reviewed by your auditors to gain an additional understanding of the controls, the system description should be a detailed narrative of your internal controls including the scope, key system elements, and subservice organizations. (NOTE: Writing a thorough system description can reduce the number of inquiries for clarification during the audit.)
Defining your objectives starts with deciding which services or systems will be used in your system description. These objectives must take into consideration regulatory and compliance requirements and must include the types of transactions processed by your organization.
Control objectives should provide details including the control performer(s), frequency, activities, and the source of any information being processed.
For more guidance on how to define your control objectives—including examples—check out our article here.
Readiness Assessment (OPTIONAL)
While you don’t have to undergo a readiness assessment, at Schellman, we typically recommend it ahead of a first-time examination, but there is always added value in conducting one. Readiness assessments are a good way to assess how prepared your organization is for an examination, as they identify areas of improvement you can address for an easier full examination.
Should you opt to include this extra stage, this precursor is typically scheduled for a month or two before fieldwork starts for a Type 1 examination. Similarly, for type 2 examinations, the readiness assessment will be scheduled before your predetermined examination period starts—no matter your report type, the idea is to allow time for your organization to remediate any findings before fieldwork begins.
A readiness assessment will include a review of your description of the system(s) as well as the design of controls for a Type 1 report, and it will additionally include a review of the effectiveness of controls for a Type 2.
This is the foremost stage of the examination—fieldwork happens after your planning and readiness assessment, at which point you can expect your service auditor to need and request two things:
- Meetings with your process and control owners: During these meetings, process and control owners will provide an overview of their processes and the relevant controls, while your service auditors will ask any questions that they may have.
- Documentation of your controls: As you provide the requested records, your service auditors will review them with the control owners. During the examination, your service auditors formally document the test results—which will be included in a final report—as well as any findings or observations.
Additional requests for evidence and meetings may occur throughout this period to close any potential gaps in your service auditors’ understanding or assessment.
Everything culminates in this final phase of the SOC 1 examination process—reporting. Once the assessment is complete, your service auditor will compile the different report elements—which should include the results of the assessment and any gaps identified—and provide you with a draft copy.
You’ll then have the opportunity to review that draft, make any changes that you find necessary, and approve the contents of the report, which will then be finalized by your service auditor for issuance. Once that’s done, your service auditors will send you the completed SOC 1 report that you can provide to current customers, and don’t forget about your opportunities to maximize this milestone.
Moving Forward with Your SOC 1 Examination
Although the reporting phase does represent the conclusion of one SOC 1 examination, compliance is an ongoing imperative that will see you repeat these same three phases annually. Having read this article, you know what to expect now, but once you’ve actually gone through the process once and gleaned an even better idea of how it works, you’ll then have the opportunity to further streamline your next SOC 1 examination cycle.
But now that you know more about the process, you may still have questions about other factors that play into a SOC 1 examination, and we can help you answer those as well. Make sure to check out our other relevant SOC 1 content so that you can more easily make the necessary decisions and preparations ahead of your experience:
- Are Information Technology General Controls (ITGCs) Important?
- Which SOC Method Should You Use? Carve-Out vs. Inclusive
- How to Bridge From SOC 1 to SOC 2
And if you should have further or more specific questions, please don’t hesitate to reach out to us, as our team of experts would be happy to speak to you.
About Molly Rudar
Molly Rudar is a Senior Associate with Schellman & Company, LLC based in Pittsburgh, PA. Prior to joining the firm in 2021, she worked as a Technology Assurance consultant for a public accounting firm specializing in attestation reporting. Molly led and supported numerous projects, including SOC1 reports, agreed-upon procedures, and testing various SEC rulesets. She has over 4 years of experience comprised of serving clients across multiple industries, including financial services, insurance, and utilities. Molly is now primarily working on System and Organizational Control (SOC) report audits for a variety of organizations.