MapSOC1’s deliverables cover the complete SOC1 review for up to a full 12-month fiscal year. This includes detailed documentation of SOC1 reports for periods provided by you, such as from January to March and April to September, as well as any necessary Bridge Letters up to December 31.
The fixed price of MapSOC1 covers the primary SOC1 documentation, excluding sub-service providers ‘carved out’ from the main SOC1. Separate, detailed documentation and mapping for any sub-service provider’s SOC1, like AWS in the case of hosted ERP systems, is available for an additional fee.
For a thorough SOC1 Type2 mapping, we require the SOC1 Type2 report(s) for the relevant period, your internal control listings or risk matrix, and any bridge letters from service providers. MapSOC1 will use this data to prepare the SOC1 mapping, ready for your review.
MapSOC1 guarantees a standard delivery within 10 business days from receiving the required documents. Expedited 5-business-day delivery is available for an additional fee. For instance, documents received on March 1st will result in a completed SOC1 mapping by March 15th.
Two SOC1 Type2 reports from a single service provider are necessary when one report does not cover the full fiscal year. For instance, if ADP issues semi-annual SOC1 Type2 reports, you would need both to cover your fiscal year comprehensively.
A bridge letter is required for the period between the SOC1 Type2 report’s audit date and your fiscal year-end, ensuring that all activities are accounted for up to the date of the external auditors’ sign-off.
Post fiscal year-end bridge letters are required to disclose any significant events that may have occurred before the auditors sign their opinion, known as subsequent events.
The SOC1 Type2 report documentation is an annual requirement to ensure up-to-date compliance and control mapping.
MapSOC1 is capable of mapping all systems that are accompanied by a SOC1 Type2 report, ensuring comprehensive audit support.
The Pro package includes SOC1 Type2 report mapping and a bridge letter for a fiscal year, while the Premium package covers two SOC1 Type2 reports and a bridge letter for the same period, catering to systems with semi-annual reports like ADP.
The Pro package is suitable if your service provider’s SOC1 Type2 report spans at least nine months of your fiscal year. The Premium package is required when you have semi-annual SOC1 reports, necessitating additional documentation.
Typically, SOC1 Type2 reports are available two months post the audit period end. Please confirm the availability with your service provider.
The availability of bridge letters varies by service provider. For a December 31 year-end, they are usually available in January. Consult with your service provider for precise timings.
Request the SOC1 Type2 report ahead of time, preferably in November, to ensure you can address any control gaps well before year-end.
Absent a bridge letter, additional steps may include inquiring with the service provider about changes or assessing the materiality of the gap period to ensure control effectiveness.
Your service provider recognizes you as the primary customer and typically only give the SOC1 report to you.
Since you are the main customer, your service provider typically only gives the bridge letter to you.