Navigation:


DISCUSSIONS > THE SARBANES-OXLEY ACT [ REFRESH ]
Thread Title: When do we need a SOC1 from our service providers?
Created On Tuesday February 26, 2013 1:01 PM
  When do we need a SOC1 from our service providers?
  When do we need a SOC1 from our service providers?


SDCMO


Posts: 6
Joined: Dec 2009

Tuesday February 26, 2013 1:01 PM

User is offline View thread in raw text format

Can anyone point me to where I can find guidance on when we are required to obtain a SOC1 from a service provider? We know that we are required to do so when we are relying on their internal controls for processes and information related to our financial reporting, but are looking for specific language and/or authortative guidance to support our determination of which SOC1s we are inlcuding and excluding from our review.

Reply
Quote
Top
Bottom



msmeyer


Posts: 5
Joined: Nov 2011

Thursday April 04, 2013 4:37 PM

User is offline View thread in raw text format

SDCMO - I am not sure where you'd find that guidance. The only information I can offer to you is that each SOC1 report will include a section called something like "User Control Considerations" (I call them UCCs). In essence, this part of the report pretty much says that if the user of the services does not have those controls in place, it should not rely on the controls of the third party service provider. As such, part of my internal audit days consisted of going through the UCCs and making sure that they were covered with the already documented controls.

Reply
Quote
Top
Bottom

DISCUSSIONS > THE SARBANES-OXLEY ACT [ REFRESH ]
The Institute of Internal Auditors • 247 Maitland Avenue Altamonte Springs, FL. 32701-4201 USA
+1-407-937-1100 • FAX +1-407-937-1101 • www.theiia.org