SOC Reports – What you need to know before you begin
One of the most frequent calls we receive is from service organizations that have come to the realization that they need a SOC report to satisfy an important client. Understanding what to expect as you engage in your first SOC audit can go a long way to ensuring you end up with a clean report and minimal disruption to your operations.
Increasingly, service organizations are specifically required to complete a SOC audit in contract language as a condition of doing business with many companies. If you think about, it makes sense: The client is entrusting you with vital and critical business processes and they want independent assurance your organization has adequate governance and effective controls in place. Failure to have a SOC report available can create a lot of unwanted scrutiny and even worse – the loss of an important customer.
Let’s address the most common question first – how long is this going to take? If you engaged a SOC auditor today, you are looking at months, not weeks, as the earliest you will have a report ready to provide to your customers. The process takes time and will almost always require a period of preparation before the audit can even begin. How long the preparation takes will be dependent on how motivated and committed your management team is to being ready. Once you have made the decision to proceed, there are some important steps you can take to ensure the audit process will be smooth and that there will be no unwelcome surprises.
The first and most vital step is to make sure your entire management team and key stake-holders are well-informed and engaged in the process. Once they know what is expected they can take steps to be prepared when the auditor comes to inspect the processes and controls that they are responsible for. One common mistake is to delegate the entire SOC audit to a single individual that often does not have the required access, information, or authority to ensure the auditor’s requests are addressed completely and timely. It is, however, ideal to designate a single individual to be a point person to work closely with the SOC auditors to ensure all requests and questions are addressed.
The next step is to determine the scope and boundaries of your system (which is the services you provide to your customers and is the subject matter the SOC auditor will be examining). Scoping will involve determining which services and processes are to be included (and those that will not) in your audit. In some cases, a service organization may have specific services or offerings that are not relevant to their customers requesting the SOC report, and therefore should not be included in the scope. Determining the boundaries of your system will involve defining what systems, people, processes, and vendors you outsource processes to (subservice providers). Once this information gathered and decided on, you are ready to move to the next step – preparing the system description.
Your system description is a narrative document you will prepare that will be a key component of your final SOC report. The purpose of the system description is to provide your user entities and user auditors a complete understanding of your company as a whole, the services you provide, and the controls you have in place to ensure timely, complete, and accurate delivery of those services. AICPA guidance requires the system description address specific topics depending on whether the audit is a SOC 1 or a SOC 2. Your SOC auditor will address your system description in the final opinion (report) regarding whether it is fairly presented and does not omit or distort information that is important to the reader of the report.
The last major component of preparing for the SOC audit is determining your controls. If you are doing a SOC 1, you will define your own control objectives and then specific control activities that demonstrate the control objectives are met. A SOC 1 is focused on ICFR (Internal Control Over Financial Reporting). Here is an example of a typical SOC 1 control objective:
“Controls provide reasonable assurance that customer transactions are processed accurately, timely, and completely.”
Specific control activities to ensure this control objective is achieved could include processes that reconcile, verify, and track activities around transaction processing. It is important that the control activity can also be evidenced or re-preformed so that the auditor can evaluate and test if the control is suitably designed and operating effectively. One or both of these last two points are included in the auditor’s final opinion depending on the specific type of report.
A SOC 2 audit is different from a SOC 1 in that a SOC 2 is criteria driven and the control objectives are Specified by the AICPA. A SOC 2 report will contain one of more of five Trust Services Categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy and specifies the control objectives for each. You will select which criteria to report on based on what is relevant to your client’s needs. The SOC auditor can assist with which criteria you should include when discussing and determining the scope of your audit. Depending on the type of services you provide to your customers, certain criteria may not be relevant and therefore not necessary to include in your report. Just as with a SOC 1, you will determine your control activities for each of the criteria and control objectives.
With your team informed, your system description written, and your control objectives and activities defined, you are ready to begin the audit. If possible, we recommend performing your first SOC as a Type 1 audit, in which the auditor gives an opinion on whether the system description is fairly presented and whether the controls are suitably designed. The type 1 report does not require as much testing as a Type 2 and is issued as a point in time snapshot. This makes the Type 1 report ideal for first time clients. After completing the Type 1 engagement successfully, you can move to a Type 2 report which includes testing the operating effectiveness of your control activities over a period of time (3-12 months)
He can be reached at firstname.lastname@example.org or email@example.com.