More and more customers are requesting service organizations to obtain a Service Organization Control (SOC) audit in order be qualified to become their vendors. When such requests are received, how does a service organization prepare for a SOC audit? The following steps describe the typical stages of a SOC audit.
- Identify which SOC audit is needed
There are two SOC audit focuses among the different SOC audits available; financial focused controls audits (SOC 1) and IT environment focused controls audits (SOC 2 and SOC 3). The main determining factor for which SOC audit a service organization will need is based on what services a vendor provides for its customers. For example, customers of data hosting services like Amazon Web Services Cloud (AWS) or Microsoft Azure will be more interested in a SOC 2 or SOC 3 audit. Since AWS and Azure do not take responsibility for providing any financial reporting, but do provide the security and availability of their customer’s data hosted at their datacenters. Conversely, customers of payroll processors, like ADP, will probably be most interested in the accuracy and completeness of their processing and reporting, thus requiring a SOC 1 report. At times, the
customer of the service organization may not even know the differences between these reports. Some research may be necessary with the service organization and their customers to help them determine which SOC audit report is right for them. A more in-depth discussion regarding the differences in these reports can be found in our white-paper titled Building Trust by Obtaining a Service Auditor’s Report.
- After identifying the report, you must decide on the control objectives or applicable principles to narrow the scope.
After the audit focus is decided between SOC 1, SOC 2, and/or SOC 3 reports, you will need to determine the scope of the report. This can be done by coming up with applicable control objectives for SOC 1 reports, or by selecting the applicable principles for a SOC 2 and SOC 3 report.
Since SOC 1 reports focus more on financial reporting, the service organization will need to determine the control objectives that would impact the financial reporting of processing transactions. Continuing our example above, one of the control objectives ADP may identify would be “controls provide reasonable assurance that the reports generated for customers are complete and accurate” and/or “controls provide reasonable assurance that only authorized individuals can make changes to the payroll file.” Since each service organization’s controls are different, entities must determine, on their own, all applicable control objectives for their report.
For SOC 2 reports, instead of coming up with their own control objectives, service organizations will need to determine which principles are applicable for their system. There are five principles a service organization can choose from: security, availability, confidentiality, processing integrity, and privacy. Once a principle is chosen, an organization will need to have controls that address a list of criteria specified for the principles chosen. A list of these criteria can be downloaded here. A service organization can choose between one to all of the principles for testing. However, at a minimum, the security principle must be chosen.
- After identifying the control objectives or applicable principles related to the SOC audit, the service organization will need to determine what controls address the control objectives or criteria.
Deciding on what controls and how many controls are needed to sufficiently address the respective control objectives (SOC1) or control principles requires judgement (SOC 2 &SOC 3). This may be the most time consuming stage of the audit for the service organization and requires some assistance and guidance from your auditor. Larson & Company provides a 2-hour free initial SOC readiness assessment to help identify any controls gaps that a service organization may need to correct and any control design deficiencies. The most commonly identified control gap for a company that has never gone through a SOC audit relates to the documentation of the performance of control, such as independent review sign-offs or approval of code changes before migration to the production environment. This assessment will also provide the auditor detailed information on the number and type of controls related to the SOC audit, allowing them to then provide a more detailed analysis to determine the nature, timing, and extent of testing the audit requires and provide the service organization a more accurate engagement fee estimate for the audit.
- Preparation of Management Description
When the service organization has fully implemented all required controls, they are then ready to begin preparing the management description that will be included as part of the SOC report. Although it is the most ideal for this to occur before the audit fieldwork begins, in practice, this is most likely to be completed during or after fieldwork as changes in the wording of controls may occur during the testing performed by the auditor. The management description should include an overview of services provided by the service organization, the system’s relevant internal controls, relevant COSO internal control framework, lists of subservice organizations that are utilized by the system, and any user or subservice organization control considerations.
- Ready for audit fieldwork
Once the items above are completed and provided to the auditors, the auditors will then be ready to create a list of requests that are needed to begin the audit fieldwork. During the audit fieldwork, auditors will be onsite to conduct various interviews to observe how controls are functioning, select samples and request additional evidence of controls documentation, and document the results of their testing. Constant communication between the service organization and the auditor during this stage is essential. This ensures a complete understanding of the controls by the auditor and determine whether changes in the control description are necessary. It is also essential that all parties understand and agree on the cause and impact of the exceptions that may be discovered from testing. The amount of time the auditors will be onsite to perform these tests will be dependent on the complexity of the system and availability of the controls documentation necessary for testing.
Once testing is complete, the auditor and the service organization will finish drafting and proofing the reports together. For SOC 1 Type 2 and SOC 2 Type 2 reports, in accordance with reporting guidelines, any exceptions found must be listed in the results of the report. It is not uncommon for exceptions to occur from the testing performed. While such exceptions will appear in the results section of the report, as long as such exceptions noted are not so material that it will warrant a likelihood that the control objective would not be achieved, the opinion on the report may still be a “clean” opinion. Management of the service organization may also respond to any exceptions noted from the audit in the report as a separate section of the report (only listed in SOC 1 and SOC 2 audits).
2-hour free SOC readiness assessment
As one can see from the various stages of the SOC audit, preparation is key for both the service organization as well as the auditors. It is essential that both parties have open communication regarding what the scope of the SOC audit is. As mentioned above, Larson provides a 2-hour free initial SOC readiness assessment to help service organizations determine which SOC audit is best for their needs. We also assist in identifying any control gaps that a service organization may have. If you would like to take advantage of this, please contact Andrew Wan at firstname.lastname@example.org or at 801-984-1829.