This article is a continuation of the two-part series on common questions about SOC examinations. In this article we will be covering what the process for completing a SOC examination looks like from day one.
SOC Readiness Assessment and Remediation
Most service organizations (nearly all of them in our experience) will require an initial readiness assessment to be performed prior to taking on a SOC examination for the first time. Readiness assessments may also be referred to as “gap assessments” and are designed to help organizations evaluate the current state of the processes and controls which would be in-scope for the examination. It is important to take this phase of the process seriously, otherwise, chances are that the service organization will be woefully unprepared and the results of the first examination may not be flattering.
Most service organizations will require some help in figuring out what exactly should be included in the scope of their examination. This is completely normal, while SOC examinations are somewhat prescriptive in nature and consistent in their presentation, they are highly customized to the unique characteristics of the service organization.
Management will need to complete a risk assessment, if they have not already, to ensure that they understand the risks present for each in-scope area and determine whether appropriate controls have been put into place to mitigate those risks. Walk-throughs of all in-scope process areas and controls will be conducted, feedback on any “gaps” in the controls identified will be provided, and recommendations will be made on the relative significance of in-scope controls to determine those which are key.
Many service organizations have terrific processes in place, but often have trouble demonstrating them. Part of the readiness assessment process is meant to help the service organization understand the quality of the auditable evidence which is produced during the operation of in-scope controls and make recommendations for any improvements as needed. Many times, this does not require wholesale changes to pre-existing processes but merely tweaks as to how the operation of controls is documented and retained.
After the readiness assessment is complete, management will begin remediating any gaps which were identified. This process will generally take several weeks to complete, and in some cases longer if management has resource limitations or if there were a significant number of items requiring attention.
Are we there yet? Almost. Remember, audits are always looking backward in time, and the newly remediated control environment has not been operating very long. The periods covered by SOC examinations normally require 6-12 months (12 months is most common) of remediated controls operating in order to be useful, these are known as Type II SOC reports. Therefore, the examination phase of a Type II SOC report may not begin for many months after remediation has been completed to allow the newly remediated control environment enough time to operate.
If there is urgency to provide a SOC report to your user entities sooner rather than later, an alternative is a Type I SOC report that can be completed soon after the finalization of the remediation process. Instead of the examination covering a period-of-time as in the case of the Type II SOC report, the Type I SOC report covers only a point-in-time. The Type I SOC reports are generally less useful to your user entities as they only address the presentation and design of your controls as of a particular date and do not also address the operational effectiveness of your controls over time. Type I SOC reports are usually only performed once after remediation and are subsequently followed-up by a Type II SOC report.
This is a high-level overview and does not address every salient detail of the process. We are here to help! Each business is different, and we tailor our approach based on the unique needs and characteristics of your service organization. If there are any questions that you might have please feel free to contact us.
For private companies who have not yet adopted the revenue recognition standard, (FASB ASC Topic 606, Revenue from Contracts...
Anyone who has ever been responsible for an organizations’ IT knows of the Catch-22 paradox, those situations with conflicting...
In a recent article, we referenced the term “human layer” to describe the employees of an organization and described the...