For many organizations, obtaining a System and Organization Controls (SOC) attestation report is table stakes for doing business. Many customers and vendors won’t even consider working with an organization that can’t produce a SOC report issued by an independent third-party assessor. Going through a SOC examination for the first time can seem overwhelming, but by taking the time to work through a simple audit checklist, many organizations can set themselves up for success.
What is SOC Compliance?
Companies are often asked if they are “SOC compliant” or if they can provide proof of “SOC compliance.” These terms can create confusion around what a SOC report represents, because SOC itself is not a compliance framework. SOC reports are attestation examinations performed by an independent third party to assess whether the organization’s internal controls are designed and operating effectively to mitigate different types of risk.
The guidelines for what types of risk mitigation measures are necessary will vary depending upon the type of SOC report and the scope of the audit itself. For example, a SOC 1 report focuses primarily on internal controls for financial reporting, and leverages the guidelines within the American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Agreements (SSAE 18). By contrast, a SOC 2 report focuses upon a broader set of internal controls that map to the AICPA’s Trust Services Criteria. The scope of a SOC 2 report is focused on security of the organization’s system, but the scope of the audit can expand to include additional criteria that includes confidentiality, availability, processing integrity and privacy, as determined by the organization.
Challenges of a SOC Audit
One challenge when preparing for a SOC audit is that the guidelines and requirements enable an organization to address risk using several different strategies. Unlike other compliance assessments, SOC does not define the exact controls an organization must implement within their environment, leaving room for ambiguity. SOC guidance enables an organization to use a risk-based approach to determine which controls need to be implemented to properly secure their environment. A SOC audit is a subjective evaluation of how well an organization meets the expectations defined by AICPA and must be performed by a licensed and independent CPA firm.
In addition, the types of controls implemented within an organization’s environment will differ depending on the industry and scope of services rendered. For example, an organization whose primary service is payroll processing will have different policies and procedures when compared with an organization providing colocation services. Therefore, you must consider the nature of risks to the organization and how they align to the SOC 1 and SOC 2 reporting.
SOC Audit Checklist
Getting ready for an initial audit requires time and effort, but investing that time can assure a more seamless process for the first and any subsequent audits. Regardless of the type of audit being performed, there are actions every company can take well before the auditors arrive.
1. Review Auditing Standards
Ensure the organization’s personnel tasked with the SOC audit understand the expectations and time commitment involved. The AICPA does a good job detailing its security guidelines, auditing standards and requirements. Staying on top of any new compliance standards is also important.
2. Account for Organizational Changes
In today’s fast-moving economy, organizations are continually moving into unmapped territory and competing with new service offerings. These changes can shift the scope of their security posture and pose unseen risks that require implementing additional policy considerations and controls to address such risks. Organizations should regularly review and update their internal controls framework to ensure all potential risks are addressed.
3. Develop a Timeline and Assign Tasks
A SOC audit should never be a surprise to an organization. A detailed project plan, including milestones and identified process owners responsible for the tasks, should be in place to set the organization up for success. The timeline should be discussed with the auditors to ensure that the compliance and audit firm is also prepared to best assist the organization.
4. Review Prior Audits (if available)
If available, previous SOC reports — as well as other compliance reports (e.g. PCI ROC, ISO Certification) — can provide a helpful roadmap for identifying how an organization’s internal controls framework is designed and operating. If an auditor has identified an exception or issue with a particular process or control in the past, that process or control should be a priority to address ahead of the next audit.
5. Gather Relevant Data
Depending on the type of audit performed, auditors will need access to information related to various security controls and information policies. A Type 1 report evaluates the existing state of controls at a point-in-time to determine if controls are in place. A Type 2 report evaluates whether controls are in place, but it also evaluates the effectiveness of those controls over a specific time period. Collecting the relevant data and information ahead of time can make the audit process more efficient and enables the auditor to identify potential problems earlier.
Selecting the Right Auditing Firm
When evaluating a potential compliance and audit firm, the first question to ask is whether or not the company is licensed to conduct audits and issue SOC reports. While many vendors sell software packages that help an organization prepare and gather data for their audit, the vendor is often not able to conduct the SOC audit themselves. That means the organization will still need to find an auditing firm that can perform the actual audit, which slows down the entire project.
Any reputable auditing firm should be able to provide a SOC report that attests to its own security readiness. They should also have sufficient staff to handle audits efficiently and be able to respond to a client’s needs quickly to avoid setbacks and delays.
Elevate Your Compliance Readiness with ALIGN
A-LIGN is a technology-enabled security and compliance firm with more than 20 years of SOC reporting and comprehensive audit experience. Our strategic compliance approach identifies common elements across a broad range of regulatory frameworks to make it easier for companies to meet a variety of cybersecurity and privacy standards. With A-LIGN, there is no need to start from scratch ahead of every audit, because you will already have the right processes and controls in place for continuous compliance.