Posted by Maria T. Hurd, CPA
Type 1 SOC 1 reports provide plan auditors with an evaluation of the adequacy of the design and implementation of controls at a service provider and Type 2 SOC 1 reports discuss the operating effectiveness of the controls as designed.
In no event does reliance on a clean SOC 1 result in the elimination of all audit testing with respect to a significant audit area.
Often, service providers to a plan will provide an SOC 1 report INSTEAD of the specific information requested by an auditor to conduct substantive testing of a significant audit area. When this happens, the representative at the service provider often indicates that the auditor can rely on the opinion of the national firm regarding the entity’s controls to skip an audit procedure for which they are having trouble producing the requested backup.
SOC 1 reports never address the client under audit specifically. In fact, the financial activity for any given plan under audit is likely immaterial to the service provider as a whole. As a result, when a Type 2 SOC 1 report indicates that a certain process was processed appropriately without exception, the auditor can use that knowledge to consider reducing the extent of testing or change the nature of testing performed, but never to eliminate testing for the plan under audit.
In other words, if the operating effectiveness of relevant internal controls has been tested by a service auditor that reports no exceptions for that process on the Type 2 SOC 1 report, the auditor of the plan may be able to reduce substantive procedures for that audit area, but substantive procedures are still required.