SOC 1 & 2 Readiness Assessment Services
Our mission is helping clients achieve and maintain SOC certification
SOC 1 & 2 Readiness assessment process
So you need a SOC report...
Chances are, a critical business associate, client or vendor has mandated your organization obtain SOC certification based on their governance, risk and compliance requirements in order to maintain ongoing business relations. Consequently, your organization has suddenly been tasked with obtaining a SOC1 or SOC2 report (perhaps both) by a specified deadline that's much too close for comfort. If that's the case, breathe a little easier! You've come to the right place for information and guidance on what next steps to take.
From my past experiences with former clients, an array of general questions likely come to mind:
* How difficult and arduous is the process to obtain SOC certification?
* How much time, money, staff and effort will this require?
* Can this process be outsourced?
* Is a SOC 1 or a SOC 2 certification preferred? What's the difference between the two reports?
* Is a type 1 or type 2 report required? Again, what's the difference between the two reports?
* Are CPA firms the best resource for assistance and experience?
* What steps are required in order to obtain a SOC 1 or SOC 2 certification?
If any of the aforementioned questions above resonate with you, don't worry! You've come to the right place for answers and suggested guidance. After 16+ years experience as an information systems auditor and manager with various public accounting firms including PwC, RSM McGladrey, BDO and Moss Adams, I've dedicated my expertise and knowledge to help prospective and existing clients answer these questions and facilitate the SOC audit and certification process for them.
What's the first step towards obtaining SOC certification?
The first step in obtaining a SOC report for an organization is undergoing a formal readiness assessment. The readiness assessment serves as a dress rehearsal for an organization to identify potential problems, control gaps and shortcomings before undergoing an official SOC audit.
The SOC readiness assessment includes the following steps:
* Mapping existing organizational controls to objectives and trust services criteria within the SOC framework.
* Identifying control gaps and implementing new controls to buttress control objectives and trust services criteria within the SOC framework.
* Developing remediation plans and timetables for identified gaps in the control environment.
CPA firms are often the first place organizations look towards when seeking assistance with SOC reporting and readiness assessments. This is understandable given that SOC report attestation can only be performed by an independent Certified Public Accountant, so it stands to reason such firms have the technical expertise, training and certification to perform such engagements right? After 16+ years experience working for CPA firms such as PwC, RSM / McGladrey, Moss Adams and BDO, I've seen enough to know this is not always the case.
Readiness assessment services: What you can expect from CPA firms
In my years of experience working for CPA firms on hundreds of related SOC audits and engagements, the deliverable(s) for a SOC readiness assessment are generally limited to the following:
* A listing of control gaps; a diagnostic of sorts that shows where an organization's control universe exhibits shortcomings against the respective SOC trust service criteria and where improvements and additional controls are needed. The control gaps listed must be remediated by the organization before the SOC audit can commence.
* Examples of redacted policies and procedures from other clients that can used as templates for developing documentation for missing controls.
A very important note to keep in mind: CPA firms serve in an auditing capacity and are restricted due to conflict of interest from providing formal consulting services to a client if also providing attestation services. It's expressly forbidden by the AICPA / PCAOB and considered a moral hazard for an entity to provide consulting services and also provide assurance over one's own work.
You can expect to pay anywhere between $15,000 to $30,000 as a price point for a SOC readiness assessment with most CPA firms. This pricing estimate is based on my 16+ years experience on over 200+ engagements and budgets with various public accounting firms. The variability is dependent on the CPA firm's brand recognition in conjunction with the breadth and scope of the report (i.e. number of trust service criteria, controls, applications, resources).
That's an expensive diagnostic! Imagine taking your car in for annual inspection and the mechanic takes your payment in exchange for laundry list of items your car must have fixed or repaired before it will pass inspection. You might feel slighted that the mechanic only itemized the faults preventing you from passing inspection; rather than performing the service of repairing those items for you.
Readiness assessment services: What you can expect from us
Having seen the frustration of former clients during my tenure in public accounting with the aforementioned phenomenon of delivering little more than a diagnostic of shortcomings from a SOC readiness assessment, I've come up with a much more comprehensive approach:
* Developing a control universe tailored specifically for your organization. Many small to medium-sized firms and start-up companies don't have a dedicated GRC resource or preexisting list of internal controls within their organization. What matters most to management is keeping their business running and delivering goods and services to customers on time!
* A gap assessment with a remediation plan. With management's blessing, we will help develop and implement any controls identified during the gap assessment process. If you do not have a comprehensive IT staff or dedicated GRC resource, don't panic! We have access to resources and examples of automated, manual, preventative and detective controls that can be tailored to your organization without having to hire those expensive resources. We don't just perform a diagnostic, we remediate the issues identified so you can successfully obtain SOC certification.
* If desired, we can facilitate the SOC audit on behalf of your organization and interface with the auditors as your dedicated representative. I find that many prospective business partners don't want the headache of being involved in the SOC audit process. They'd rather it be managed by someone with familiarity of the process and avoid their staff having to meet with the auditors for weeks at-a-time pulling them away from their day-to-day responsibilities.
* If desired, we can prepare section III of the report (management's description of the system) for your organization once we've developed your control universe and mapped them to the appropriate SOC trust services criteria.
* If desired, we can serve as a dedicated internal audit and compliance resource for your organization to ensure controls are operating effectively throughout the year by managing ongoing controls such as user access reviews, risk assessments, internal / external vulnerability scans, remediation efforts and disaster recovery testing.
You can see by comparison, our niche is not just performing readiness assessments, but also providing a comprehensive concierge service that facilitates the certification audit, provides technical solutions and serves as an internal audit function to ensure ongoing compliance with SOC requirements from one audit cycle to the next.
From readiness assessment to SOC report
Next steps and estimated timetable for SOC compliance?
At the conclusion of the SOC readiness assessment, an organization will have a framework of designed and implemented controls mapped to the requisite SOC trust service criteria. One of the outcomes of performing a readiness assessment is assignment of control ownership over the various controls within the organization. Management and respective control owners are made aware of their oversight and ongoing responsibilities to ensure compliance. Any identified control gaps will need to be successfully remediated and assigned to control owners before the certification process can begin.
The next step is to engage a qualified CPA firm to perform a SOC1 / SOC2 type 1 / 2 engagement. If you are pressed for time by a business associate or client for urgent attestation of SOC compliance, I'd suggest beginning with a type 1 report. A type 1 report generally buys time by demonstrating an earnest commitment towards SOC compliance. A type 2 report can then be furnished annually thereafter to demonstrate a continuing commitment to SOC compliance requirements.
Let's look at a hypothetical timeline for organization ABC, which received notice from one of its critical business associates on January 1 that it needed to furnish a SOC 2 report before the end of Q2 to meet its vendor risk requirements. Organization ABC decided to initially obtain a SOC 2 type 1 report in order to meet the quickly approaching deadline.
January 1 - Notification of requirement for ABC to obtain an unqualified SOC 2 report by June.
January 15 - ABC begins undergoing a formal readiness assessment
February 15 - The readiness assessment is completed (2 additional weeks for gap remediation)
March 1 - ABC engages a CPA firm to perform a SOC 2 type 1 report, as of March 31
April 15 - ABC receives an unqualified SOC 2 type 1 report "as of March 31"
From here, the organization could choose to undergo a SOC 2 type 2 assessment that stretches from April 1 through September 30 (providing 6 months of coverage within the report). CPA firms tend to schedule delivery dates for a finalized type 2 report within 45 days after the opinion period end date. In this case, ABC would receive their SOC 2 type 2 report in mid-November.
