This article is a continuation of the two-part series on common questions about SOC examinations. In this article we will be covering what the process for completing a SOC examination looks like from day one.
SOC Readiness Assessment and Remediation
Most service organizations (nearly all of them in our experience) will require an initial readiness assessment to be performed prior to taking on a SOC examination for the first time. Readiness assessments may also be referred to as “gap assessments” and are designed to help organizations evaluate the current state of the processes and controls which would be in-scope for the examination. It is important to take this phase of the process seriously, otherwise, chances are that the service organization will be woefully unprepared and the results of the first examination may not be flattering.
Defining scope of examination
Most service organizations will require some help in figuring out what exactly should be included in the scope of their examination. This is completely normal, while SOC examinations are somewhat prescriptive in nature and consistent in their presentation, they are highly customized to the unique characteristics of the service organization.
Risk assessment
Management will need to complete a risk assessment, if they have not already, to ensure that they understand the risks present for each in-scope area and determine whether appropriate controls have been put into place to mitigate those risks. Walk-throughs of all in-scope process areas and controls will be conducted, feedback on any “gaps” in the controls identified will be provided, and recommendations will be made on the relative significance of in-scope controls to determine those which are key.
Understanding the quality of auditable evidence
Many service organizations have terrific processes in place, but often have trouble demonstrating them. Part of the readiness assessment process is meant to help the service organization understand the quality of the auditable evidence which is produced during the operation of in-scope controls and make recommendations for any improvements as needed. Many times, this does not require wholesale changes to pre-existing processes but merely tweaks as to how the operation of controls is documented and retained.
Remediation
After the readiness assessment is complete, management will begin remediating any gaps which were identified. This process will generally take several weeks to complete, and in some cases longer if management has resource limitations or if there were a significant number of items requiring attention.
SOC Examination
Are we there yet? Almost. Remember, audits are always looking backward in time, and the newly remediated control environment has not been operating very long. The periods covered by SOC examinations normally require 6-12 months (12 months is most common) of remediated controls operating in order to be useful, these are known as Type II SOC reports. Therefore, the examination phase of a Type II SOC report may not begin for many months after remediation has been completed to allow the newly remediated control environment enough time to operate.
If there is urgency to provide a SOC report to your user entities sooner rather than later, an alternative is a Type I SOC report that can be completed soon after the finalization of the remediation process. Instead of the examination covering a period-of-time as in the case of the Type II SOC report, the Type I SOC report covers only a point-in-time. The Type I SOC reports are generally less useful to your user entities as they only address the presentation and design of your controls as of a particular date and do not also address the operational effectiveness of your controls over time. Type I SOC reports are usually only performed once after remediation and are subsequently followed-up by a Type II SOC report.
Contact Us
Calvetti Ferguson works with middle-market companies, private equity firms, and high-net-worth individuals nationwide. Regardless of the complexity of the compliance, assurance, advisory, or accounting need, our team is ready to help you. Please complete the form below, and we will follow up with you shortly.