INDEPENDENT CONTROLS FOR SOC1 AUDIT COMPLIANCE
The Challenge of SOC1 Compliance
Are you are looking at SOC1 audit compliance for the first time? Or are you perhaps a veteran SOC1 complier looking for opportunities to bolster your existing controls? Well, you are in the right place.
To achieve SOC1 (System and Organisational Control) financial statement and reporting compliance, you must provide ‘reasonable assurance’ evidence to your appointed third-party auditor (that’s not us!). The underpinning criteria to this audit is based on the SSAE 18 standard. This includes (in reference to your system):
- Are your controls designed properly?
- Are controls in place?
- Are the controls in place operating effectively over time?
SOC1 reports (based on controls) are important because they give evidence to a third party that the service organisation is mature. This is important not just internally, but also externally! Your clients may contractually require you to prove that your services are SOC1 compliant. This can be the difference between retaining a client or losing a client. SOC1 compliance can also help you to raise your business above your competitors.
The Importance of Control Frameworks
Without a control framework, you will not be able to comply. In fact, your control framework (or its controls) will need to work towards 3 key objectives:
- Operations: Is it clear that the controls in place are operating effectively?
- Reporting: Are you able to generate reports for internal or external purposes that can verify the success of your services operations?
- Compliance: Do your controls cover the necessary laws and regulations for the services you are delivering?
Without a control framework, you will not be able to comply!
Designing or Enhancing a Control Framework
Whether you are looking to start from scratch or to enhance your current framework. There are 5 factors that must be considered:
- Control Environment: Are policies and procedures defined and supported by management?
- Risk Assessment: How does the business assess risk?
- Information and Communication: Are control reports shared internally & externally (where appropriate)?
- Monitoring Activities: As a business, what continuous improvement analysis is carried out to identify if things are not working? How are these things corrected?
- Existing Control Activities: Are controls in place and operating effectively?
Another consideration is the ‘type’ of SOC1 audit that is required:
- A Type 1 SOC1 audit by a third-party (not us!), must include an opinion on the suitability of control design and must validate that controls are in place as of a particular date.
- A type 2 SOC1 audit, is substantially more extensive and covers a period of time such as 6-12 months.
What is the Roscom solution?
Do you have an ‘end to end’ Order, Delivery and Billing Platform that you designed ‘in-house’? Do you need to obtain SOC1 approval? We have the solution for you!
We work with your existing control framework to identify which data fields are required for SOC1 reporting. The data is then securely fed into our Imperium cloud-based compliance platform for independent reconciliation. Compliance is assessed by validating every transaction, its process, arithmetic and completeness. After this validation, any anomalies are reported as exceptions for resolution.
So why choose us? Well, for over 35 years we have been providing technology test solutions to check for record integrity and overall end to end billing accuracy. Experience counts for a lot, especially when designing and evidencing control frameworks. Our clients are global but for example in the UK we support directives relating to customer charging and provide reports for auditors like Ofcom, and 3rd parties like KPMG, PwC etc.
This is why we designed Imperium
How does the Imperium Solution Integrate?
Our cloud-based solution (Imperium) independently reconciles data from various points in the billing stage to ensure completeness and accuracy. With the SOC controls these are usually designed by the internal technical audit and governance teams alongside any external auditors. Roscom then provide the consultancy to identify all the needed individual reconciliations (data schemas) for the detailed SOC1 control areas and provide compliance reporting relating to record integrity of the actual platform, its arithmetic and processing accuracy.
We are currently working with a successful UK ecommerce grocery company (a household name) to deploy a global risk and controls tool that will provide a single information source for consolidated reporting. They are looking to attain SOC1 & 2 compliance on their own billing platform. This platform covers order fulfilment, delivery, and customer billing which they designed in house. It’s used by them to deliver services to their own customers but is also sold globally to other well-known grocery retailers.
Does this sound like something you might need? If so we would welcome a call to explain more on how we might help in this area. We are ISO 27001 approved, have a good reputation in the regulation and compliance space and have the experience to assist with external auditors too like PwC / KPMG.