SOC 1 Reviews
I was curious to see how others use Workiva to complete their vendor's SOC 1 reviews. Currently, within Workiva we use a large spreadsheet document, and create individual SOC 1 has a few of a standardized review template. SOC 1 reviewers attach the SOC 1 within Workiva to that table.
The thought was that by doing the review templates within Workiva, people could update their review templates each time there is a new report.
Does anyone use a different strategy for using Workiva to complete the review of their vendor's SOC 1s?
-
We have a relatively limited population, and maintain our review memos in Wdesk for ease of roll-forward/audit trail, etc. We note:
- opinion: clean, qualification of who opined, stub period coverage letter obtained through year end
- conclude on any testing exceptions and why they don't impede our ability to rely on the external vendor's control environment
- map the complementary user controls to our controls, or note why n/a
-1We are similar to Robert given the number of SOC1 reports that are evaluated. We maintain a listing of all SOC reports and a template is completed for each one.
I am curious if anyone has a template within Workiva that can be populated?
0We went a different route (was new to Workiva this year). Created a key control in the IT controls for that application for the SOC 1. Created a Document for the SOC 1 and uploaded the SOC 1 to that. Mapped the Document to the Key Control in the walkthrough. Then the review was document in the walkthrough narrative box:
1. Period Covered XX - XX
2. Gap Letter obtained to cover period through 12.31.21
3. Clean Opinion signed November 23, 2021
4. Reputable Auditor: EXPLAIN WHY
5. Sub-service providers: NOTE ANY AND EXPLAIN HOW COVERED
6. User entity controls - document/map.
7.Test Result Findings.
I used to have a detailed form but this works well as more simplified and keeps key points.
0Please sign in to leave a comment.
Comments
3 comments