SOC in 5 Simple Steps
Published 05/09/2014
By Ryan Dean, Senior Associate
BrightLine
As an audit firm, we are frequently contacted by service organizations that know they need a SOC report (usually by way of a client request), but don’t know where to begin. With that in mind, I have broken down the process of obtaining a SOC report into five simple steps:
The first step in obtaining a SOC report for your company (the service organization) is to define the scope. A few questions to ask the stakeholders are:
- What service(s) do you need a SOC report for?
- What systems are involved in providing those service(s)?
- Are the services provided from a single location or several?
- Is the report intended for all users or only one specific customer?
For service organizations that specialize in one particular service, scope definition is fairly straightforward. However, many organizations offer a variety of services to their clients, and it is necessary to narrow down the scope. While some services can be combined into a common report (i.e. the various payroll processing services of a payroll company), it is not uncommon for a service organization to have separate SOC reports for the different services they offer.
Choosing a Report
The next step is to determine which type of report(s) will best suit your company’s needs, and perhaps more importantly, your customers’ needs. The most common report is the SOC 1 report (SSAE 16 or the historic SAS 70), but SOC 2 and SOC 3 reports continue to gain traction. The need for SOC reports is often driven by a service organization’s customers and/or their customers’ auditors. It is therefore important to ensure that the type(s) of report(s) a service organization pursues will satisfy their customer needs. Frequently, the type(s) of SOC reports that a customer would like the service organization to provide is included as a contractual requirement for doing business, but keep in mind this is not always the case.
If specific requirements or requests are not made by contractual agreements and/or client requests, the service organization should select the SOC report that meets their needs:
- SOC 1 – Detailed report of controls placed into operation for services relevant to financial reporting
- SOC 2 – Detailed report of controls placed into operation for services concerning security, availability, processing integrity, confidentiality, and/or privacy
- SOC 3 – High-level report, including seal, that is made publicly available to users with a need for confidence in the service organization’s controls
In addition to SOC reports, service organizations are often either required (i.e. PCI DSS) or elect (i.e. ISO 27000) to obtain various other attestation or compliance reports to showcase their adherence to different compliance requirements. In such cases, service organizations should consider the efficiencies and cost savings that can be attained by using a “single vendor” approach for their compliance reporting needs.
Preparing for the Assessment
Prior to the commencement of an actual SOC assessment, service organizations can take steps to help ensure they are well-prepared for the actual assessment. For clients that have never undergone an assessment before, it is often recommended to undergo a readiness assessment. A readiness assessment is intended for management use only, and will help the service organization identify both strengths and weaknesses with respect to the control environment. Regardless of whether it is a service organization’s first SOC report or tenth, management should always review and update their policies and procedures to ensure they reflect current practices and make sure employees are aware of the upcoming assessment.
It’s SOC Time!
Whether your organization is undergoing a SOC 1, 2, 3, or some combination thereof, the auditor will be working closely with you to help ensure a smooth assessment process. After agreeing upon fieldwork (testing) dates, the overall SOC report process can be outlined in a few basic steps:
- Service auditor provides a list of requested evidence (usually a month in advance of fieldwork)
- Service audit team arrives onsite at service organization to perform testing (that includes interviews, walkthroughs, and documentation review)
- Service auditors document testing results and work with service organization to clarify any testing exceptions
- Service auditor provides SOC report to service organization
Next Steps
Most service organizations that undergo a SOC assessment do so on an annual basis. In order to continually improve the quality of the SOC report and control activities contained within, service organizations should consider feedback from both their service auditors and the users of the report (customers and their auditors.) Service audit firms will often provide their clients with a list of observations made during SOC fieldwork. Such observations are not part of the actual SOC report; rather, they are an internal use listing of opportunities for improvement that the service organization might consider implementing in their control environment. If implemented, additional control activities can be added to the SOC report in subsequent assessments. Management should also consider feedback from their customers in terms of making sure the report is meeting their (and their auditors’) needs. Finally, because the majority of SOC reports are of the Type 2 variety (Type 2 reports span a review period compared to Type 1 reports, which are point in time), it is important that service organizations consistently execute their control activities throughout the year. This will help ensure that when the SOC auditors return for the next year’s assessment, testing exceptions are not discovered as a result of a lax control environment.
About the Author:
Ryan Dean is a Senior Associate with BrightLine where he has performed Service Organization Controls (SOC) reporting projects for clients in a wide range of industries, including financial services, healthcare, information technology, and manufacturing. Ryan has also provided professional services to multiple Fortune 1000, publicly traded, and regional companies during the course of his career.