Focusing on Controls that Impact Your Clients’ Financial Statements

A SOC 1, or SSAE 16 Report (formerly SAS 70), focuses on controls that are likely to be relevant to an audit of your clients’ financial statements. Rather than have each of your client’s auditors test your processes individually, the SOC 1 report (prepared by an independent public accountant in accordance with the attestation standard SSAE 16) provides the information that those auditors seek in an efficient and streamlined manner.

Accountants Provide Two Types of SOC 1 Reports:

  1. SOC 1, Type 1 tells your clients and their auditors that you have accurately described a system, that the described controls are in place, and that the controls as described should achieve your financial control objectives.
  2. SOC 1, Type 2 goes a step further to verify that the controls did indeed function as described during a specified period of time, describes the tests the independent accountant performed to make that determination, and the results of those tests.

Your Clients are Really Asking Three Questions:

  1. Have you developed and maintained a system of internal controls that are suitably designed to meet your stated internal control objectives?
  2. Are those controls in place?
  3. Do the internal controls function as designed?

SOC 1, Type 1: Are Your Internal Controls Suitably Designed?

A SOC 1, Type 1 report strives to answer the first two questions. An unqualified opinion in this report tells your client and their auditors that the system you described is suitably designed to provide reasonable assurance that your organization’s financial control objectives will be achieved if the controls operate effectively. That information gives your clients a higher level of confidence in the system on which they rely for critical services.

SOC 1, Type 2: Are Your Internal Controls Operating Effectively?

A SOC 1, Type 2 Report strives to answer all three of the above questions: For many businesses, the SOC 1, Type 1 report is the first step on the road to assuring clients that the systems in place to manage financial transactions are suitably designed to achieve stated control objectives. While management’s description of the system also is the foundation of the SOC 1, Type 2 report, the accountant goes a step further to perform tests on the system of controls to determine if it actually operated as described over a period of time. This more in-depth report can result in a much higher level of confidence in your processes from the businesses that you serve.

Have you recently received a request from a client or prospect for a SOC 1 report?

CONTACT US to issue your SOC 1 report or discuss whether a SOC 1, Type 1 or SOC 1, Type 2 is the right report for you.

To prepare for a SOC 1 report Hein can help a Service organization prepare for its formal SOC audit by performing a Readiness Assessment.

Why Hein?

  • Service organization reporting standards expertise
  • Efficient, effective and practical solutions for all size companies
  • Responsiveness and communication
  • Strong mutual relationships
  • Service auditor quality of service
  • Certified Privacy professionals
  • Practical templates and tools so clients can quickly prepare for SOC audits
  • Broad client base across most industries to leverage experience
  • Strong cloud services IT and security experience


Please contact for more information or call 877-554-7735.