SOC 1 & 2 Readiness Assessment Services
Our mission is helping clients achieve and maintain SOC certification
Our mission is helping clients achieve and maintain SOC certification
Chances are, a critical business associate, client or vendor has mandated your organization obtain SOC certification based on their governance, risk and compliance requirements in order to maintain ongoing business relations. Consequently, your organization has suddenly been tasked with obtaining a SOC1 or SOC2 report (perhaps both) by a specified deadline that's much too close for comfort. If that's the case, breathe a little easier! You've come to the right place for information and guidance on what next steps to take.
From my past experiences with former clients, an array of general questions likely come to mind:
* How difficult and arduous is the process to obtain SOC certification?
* How much time, money, staff and effort will this require?
* Can this process be outsourced?
* Is a SOC 1 or a SOC 2 certification preferred? What's the difference between the two reports?
* Is a type 1 or type 2 report required? Again, what's the difference between the two reports?
* Are CPA firms the best resource for assistance and experience?
* What steps are required in order to obtain a SOC 1 or SOC 2 certification?
If any of the aforementioned questions above resonate with you, don't worry! You've come to the right place for answers and suggested guidance. After 16+ years experience as an information systems auditor and manager with various public accounting firms including PwC, RSM McGladrey, BDO and Moss Adams, I've dedicated my expertise and knowledge to help prospective and existing clients answer these questions and facilitate the SOC audit and certification process for them.
Let's answer the most pressing question first: what are SOC 1 & 2 reports and what purpose do they serve?
SOC is an abbreviation for "service organization controls". A SOC report provides an attestation of an organization's control environment including the design and implementation of those controls and how well they're operating over time. The difference between a SOC 1 and SOC 2 report can be summarized according to scope:
* SOC 1 reports provide an attestation (by an independent 3rd party, i.e. CPA firm) of an organization's internal controls over financial reporting and related supporting information technology general controls (ITGCs).
* SOC 2 reports provide an attestation (by an independent 3rd party, i.e. CPA firm) of an organization's internal controls against a framework of AICPA trust services criteria related to security, processing integrity, availability, confidentiality and privacy.
A SOC 1 report is generally required when an organization's services impact a critical business associate, client or vendor's financial reporting. For example, staffing agency XYZ relies on the completeness and accuracy of billable time collected and submitted by its contractors using Company ABC's payroll software.
For SOC 2 reports, the security trust service criterion is mandatory; other trust services criteria can be included as deemed appropriate. Generally speaking, the more criteria included in the report, the more expensive they become, so be sure to limit the scope of the report in accordance with the needs of the recipient(s). SOC 2 reports provide assurance to prospective business associates and clients that Company ABC has strong organizational controls and IT security in place throughout the organization and its network.
A type 1 report analyzes the design and implementation of controls as of a particular date in time but does not provide any attestation of operating effectiveness. A type 2 report analyzes the operating effectiveness of controls over a period of time (generally the opinion period is recurring and between 3 to 12 months). A type 2 report requires the auditor gather populations and perform sample-based testing throughout the opinion period; consequently, a type 2 report is more comprehensive and expensive.
The purpose of obtaining a SOC 1 or SOC 2 report is to demonstrate to third parties (restricted entities) an organization's controls and compliance against the AICPA's framework, endorsed by the attestation of a reputable, independent third-party (CPA firm). These reports lend credence to the strength of an organization's control environment when performing due diligence procedures and questionnaires with existing and prospective business associates and vendors. The hope is that the SOC report will reduce the amount of requests and due diligence associated with standard information gathering questionnaires during the onboarding and risk management process.
If you'd like a deep dive into the layout, structure and content of SOC 1 & 2 reports, the AICPA has free toolkits, illustrative reports and materials to download which can be accessed via the link below
The first step in obtaining a SOC report for an organization is undergoing a formal readiness assessment. The readiness assessment serves as a dress rehearsal for an organization to identify potential problems, control gaps and shortcomings before undergoing an official SOC audit.
The SOC readiness assessment includes the following steps:
* Mapping existing organizational controls to objectives and trust services criteria within the SOC framework.
* Identifying control gaps and implementing new controls to buttress control objectives and trust services criteria within the SOC framework.
* Developing remediation plans and timetables for identified gaps in the control environment.
CPA firms are often the first place organizations look towards when seeking assistance with SOC reporting and readiness assessments. This is understandable given that SOC report attestation can only be performed by an independent Certified Public Accountant, so it stands to reason such firms have the technical expertise, training and certification to perform such engagements right? After 16+ years experience working for CPA firms such as PwC, RSM / McGladrey, Moss Adams and BDO, I've seen enough to know this is not always the case.
In my years of experience working for CPA firms on hundreds of related SOC audits and engagements, the deliverable(s) for a SOC readiness assessment are generally limited to the following:
* A listing of control gaps; a diagnostic of sorts that shows where an organization's control universe exhibits shortcomings against the respective SOC trust service criteria and where improvements and additional controls are needed. The control gaps listed must be remediated by the organization before the SOC audit can commence.
* Examples of redacted policies and procedures from other clients that can used as templates for developing documentation for missing controls.
A very important note to keep in mind: CPA firms serve in an auditing capacity and are restricted due to conflict of interest from providing formal consulting services to a client if also providing attestation services. It's expressly forbidden by the AICPA / PCAOB and considered a moral hazard for an entity to provide consulting services and also provide assurance over one's own work.
You can expect to pay anywhere between $15,000 to $30,000 as a price point for a SOC readiness assessment with most CPA firms. This pricing estimate is based on my 16+ years experience on over 200+ engagements and budgets with various public accounting firms. The variability is dependent on the CPA firm's brand recognition in conjunction with the breadth and scope of the report (i.e. number of trust service criteria, controls, applications, resources).
That's an expensive diagnostic! Imagine taking your car in for annual inspection and the mechanic takes your payment in exchange for laundry list of items your car must have fixed or repaired before it will pass inspection. You might feel slighted that the mechanic only itemized the faults preventing you from passing inspection; rather than performing the service of repairing those items for you.
Having seen the frustration of former clients during my tenure in public accounting with the aforementioned phenomenon of delivering little more than a diagnostic of shortcomings from a SOC readiness assessment, I've come up with a much more comprehensive approach:
* Developing a control universe tailored specifically for your organization. Many small to medium-sized firms and start-up companies don't have a dedicated GRC resource or preexisting list of internal controls within their organization. What matters most to management is keeping their business running and delivering goods and services to customers on time!
* A gap assessment with a remediation plan. With management's blessing, we will help develop and implement any controls identified during the gap assessment process. If you do not have a comprehensive IT staff or dedicated GRC resource, don't panic! We have access to resources and examples of automated, manual, preventative and detective controls that can be tailored to your organization without having to hire those expensive resources. We don't just perform a diagnostic, we remediate the issues identified so you can successfully obtain SOC certification.
* If desired, we can facilitate the SOC audit on behalf of your organization and interface with the auditors as your dedicated representative. I find that many prospective business partners don't want the headache of being involved in the SOC audit process. They'd rather it be managed by someone with familiarity of the process and avoid their staff having to meet with the auditors for weeks at-a-time pulling them away from their day-to-day responsibilities.
* If desired, we can prepare section III of the report (management's description of the system) for your organization once we've developed your control universe and mapped them to the appropriate SOC trust services criteria.
* If desired, we can serve as a dedicated internal audit and compliance resource for your organization to ensure controls are operating effectively throughout the year by managing ongoing controls such as user access reviews, risk assessments, internal / external vulnerability scans, remediation efforts and disaster recovery testing.
You can see by comparison, our niche is not just performing readiness assessments, but also providing a comprehensive concierge service that facilitates the certification audit, provides technical solutions and serves as an internal audit function to ensure ongoing compliance with SOC requirements from one audit cycle to the next.
At the conclusion of the SOC readiness assessment, an organization will have a framework of designed and implemented controls mapped to the requisite SOC trust service criteria. One of the outcomes of performing a readiness assessment is assignment of control ownership over the various controls within the organization. Management and respective control owners are made aware of their oversight and ongoing responsibilities to ensure compliance. Any identified control gaps will need to be successfully remediated and assigned to control owners before the certification process can begin.
The next step is to engage a qualified CPA firm to perform a SOC1 / SOC2 type 1 / 2 engagement. If you are pressed for time by a business associate or client for urgent attestation of SOC compliance, I'd suggest beginning with a type 1 report. A type 1 report generally buys time by demonstrating an earnest commitment towards SOC compliance. A type 2 report can then be furnished annually thereafter to demonstrate a continuing commitment to SOC compliance requirements.
Let's look at a hypothetical timeline for organization ABC, which received notice from one of its critical business associates on January 1 that it needed to furnish a SOC 2 report before the end of Q2 to meet its vendor risk requirements. Organization ABC decided to initially obtain a SOC 2 type 1 report in order to meet the quickly approaching deadline.
January 1 - Notification of requirement for ABC to obtain an unqualified SOC 2 report by June.
January 15 - ABC begins undergoing a formal readiness assessment
February 15 - The readiness assessment is completed (2 additional weeks for gap remediation)
March 1 - ABC engages a CPA firm to perform a SOC 2 type 1 report, as of March 31
April 15 - ABC receives an unqualified SOC 2 type 1 report "as of March 31"
From here, the organization could choose to undergo a SOC 2 type 2 assessment that stretches from April 1 through September 30 (providing 6 months of coverage within the report). CPA firms tend to schedule delivery dates for a finalized type 2 report within 45 days after the opinion period end date. In this case, ABC would receive their SOC 2 type 2 report in mid-November.
Copyright © 2023 SOC12Readiness - All Rights Reserved.
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.