SOC in 5 Simple Steps
Blog Article Published: 05/09/2014
By Ryan Dean, Senior Associate BrightLine As an audit firm, we are frequently contacted by service organizations that know they need a SOC report (usually by way of a client request), but don’t know where to begin. With that in mind, I have broken down the process of obtaining a SOC report into five simple steps: Determining the Scope The first step in obtaining a SOC report for your company (the service organization) is to define the scope. A few questions to ask the stakeholders are:
- What service(s) do you need a SOC report for?
- What systems are involved in providing those service(s)?
- Are the services provided from a single location or several?
- Is the report intended for all users or only one specific customer?
- SOC 1 – Detailed report of controls placed into operation for services relevant to financial reporting
- SOC 2 – Detailed report of controls placed into operation for services concerning security, availability, processing integrity, confidentiality, and/or privacy
- SOC 3 – High-level report, including seal, that is made publicly available to users with a need for confidence in the service organization’s controls
- Service auditor provides a list of requested evidence (usually a month in advance of fieldwork)
- Service audit team arrives onsite at service organization to perform testing (that includes interviews, walkthroughs, and documentation review)
- Service auditors document testing results and work with service organization to clarify any testing exceptions
- Service auditor provides SOC report to service organization