Classic file types are no longer available for use as of January 2021. You can transition your classic files or download a PDF. Learn More

SOC 1 Reviews




  • Nicole P.

    We have a relatively limited population, and maintain our review memos in Wdesk for ease of roll-forward/audit trail, etc. We note:

    - opinion: clean, qualification of who opined, stub period coverage letter obtained through year end

    - conclude on any testing exceptions and why they don't impede our ability to rely on the external vendor's control environment 

    - map the complementary user controls to our controls, or note why n/a

  • (LEFT CNR) Nancy Jordan

    We are similar to Robert given the number of SOC1 reports that are evaluated.  We maintain a listing of all SOC reports and a template is completed for each one. 

    I am curious if anyone  has a template within Workiva that can be populated?

  • Kerry Robinson

    We went a different route (was new to Workiva this year). Created a key control in the IT controls for that application for the SOC 1. Created a Document for the SOC 1 and uploaded the SOC 1 to that. Mapped the Document to the Key Control in the walkthrough. Then the review was document in the walkthrough narrative box: 

    1. Period Covered XX - XX

    2. Gap Letter obtained to cover period through 12.31.21

    3. Clean Opinion signed November 23, 2021

    4. Reputable Auditor: EXPLAIN WHY

    5. Sub-service providers: NOTE ANY AND EXPLAIN HOW COVERED

    6. User entity controls - document/map.

    7.Test Result Findings.

    I used to have a detailed form but this works well as more simplified and keeps key points.


Please sign in to leave a comment.