[Verse 1] When companies outsource their vital operations Payroll systems, data centers, cloud formations User entities need to trust what they can't see But how do auditors verify what's happening behind the scenes? [Chorus] SOC 1 reports, they bridge the gap Type One snapshot, Type Two time map Controls at service orgs, we must examine SSAE eighteen standards, auditor's companion Trust but verify, that's the auditor's creed SOC 1 gives the evidence that user entities need [Verse 2] Management assertions about their control design Complement user entities' financial reporting line When third parties handle transactions and processing Internal control gaps need professional assessing [Chorus] SOC 1 reports, they bridge the gap Type One snapshot, Type Two time map Controls at service orgs, we must examine SSAE eighteen standards, auditor's companion Trust but verify, that's the auditor's creed SOC 1 gives the evidence that user entities need [Bridge] Type One tests design at a point in time Type Two adds operating effectiveness over time Complementary controls work hand in hand Service auditor's opinion helps users understand [Verse 3] Scope includes controls relevant to financial reporting Exclude the rest, keep focus supporting User auditors rely on service auditor's work But still must evaluate, responsibility they can't shirk [Chorus] SOC 1 reports, they bridge the gap Type One snapshot, Type Two time map Controls at service orgs, we must examine SSAE eighteen standards, auditor's companion Trust but verify, that's the auditor's creed SOC 1 gives the evidence that user entities need [Outro] Service organizations, user entities align Through SOC 1 reports, control environments shine
← Attestation for Non-Financial Information | SOC 2 and SOC 3 Engagements →