Can anyone point me to where I can find guidance on when we are required to obtain a SOC1 from a service provider? We know that we are required to do so when we are relying on their internal controls for processes and information related to our financial reporting, but are looking for specific language and/or authortative guidance to support our determination of which SOC1s we are inlcuding and excluding from our review.
SDCMO - I am not sure where you'd find that guidance. The only information I can offer to you is that each SOC1 report will include a section called something like "User Control Considerations" (I call them UCCs). In essence, this part of the report pretty much says that if the user of the services does not have those controls in place, it should not rely on the controls of the third party service provider. As such, part of my internal audit days consisted of going through the UCCs and making sure that they were covered with the already documented controls.