Seeking Help with SOC-1 Reports
I’m currently trying to locate a specific SOC-1 report for a 403(b) Audit I’m working on. I’ve got the SOC-1 reports for the primary company, but several control objectives are tied to a subservice that has its own SOC-1 report. This subservice was recently acquired by a larger corporation, but their website has limited resources for getting in touch regarding this issue. I attempted to email one of their contacts at random, but unfortunately, I didn’t receive a reply.
Has anyone else faced challenges in tracking down SOC-1 reports? If so, how did you manage to find them, or did you end up opting for expanded testing instead? Any advice would be appreciated!
One response
It sounds like you’re in a challenging situation trying to track down the SOC-1 report for the subservice organization. It can definitely be tricky when companies change or get acquired, and their resources become less accessible.
Here are a few suggestions that might help you in your search:
Reach Out to Your Main Company Contact: If you have a relationship with someone at the main company, consider reaching out to them directly. They might be able to facilitate a connection with the subservice organization or provide insights on how to obtain the report.
LinkedIn Networking: Use LinkedIn to search for employees at the acquired company. You could send a connection request with a brief message explaining your situation—often, a personal touch can yield better responses than a cold email.
Professional Associations: If you’re part of any Audit or Accounting associations, consider posting there. Other professionals may have faced similar issues or have contacts who can help.
Alternative Audit Reports: Sometimes subservice organizations have other Audit reports like SSAE 18 or ISO certifications that can provide useful information about their controls. While not a direct substitute for a SOC-1, they could help in your assessment.
Expanded Testing: If you can’t locate the SOC-1 report, you’ll likely need to rely on expanded testing as per your mention. Document your attempts to obtain the report; this can provide context for your audit conclusion.
If all else fails, it may be worth consulting with your audit team for guidance on the situation, as they might have recommendations based on similar experiences. Good luck, and I hope you’re able to successfully track down the report!