Today, service organizations work in an increasingly regulated business environment. Those who haven’t completed a SOC audit are now being required to for the first time.
While this process can appear overwhelming, working with the right CPA firm can guide you through your SOC compliance process and even solve potential issues before the audit begins.
So, what should you expect from your first SOC audit? It first starts with preparation.
1. Determine the SOC audit scope
An important step in preparing for a SOC audit, whether it is a SOC 1 or a SOC 2, is determining the scope. Which services, processes or systems are most relevant to your customers and should be the focus of the audit?
When preparing for a SOC 1 audit, you will also need to determine control objectives for each identified service, process or system in scope. These control objectives set the scope of the SOC 1 audit. A control objective is a goal that your organization achieves by establishing control activities. Control activities are the policies and procedures you put in place to help ensure that your organization’s management directives are carried out.
SOC 2 audits require you to decide which additional categories your customers would be interested in and are relevant to your environment. The available categories are security, availability, confidentiality, processing integrity and privacy.
Essentially, a SOC audit evaluates the internal controls and processes identified by you as being within the scope of the audit.
The CPA firm acting as the service auditor will not determine the scope of the SOC audit; however, they can provide guidance on control objectives for your service organization to consider when determining the scope.
2. Evaluate and document your processes
Whether it is a SOC 1 or SOC 2, you will need to evaluate which internal processes you have in place. For a SOC 1 audit, you should identify relevant processes that you do to meet your control objectives. For SOC 2 audits, you should review the SOC framework to understand what it requires of your service organization in terms of the criteria and principles included in the scope.
First, identify control processes that are currently in place and the owners of these processes. Then identify control gaps where you don’t have processes in place to meet all requirements of the SOC framework (SOC 2) or identified control objectives (SOC 1).
Afterward, document your identified control activities in an organized list, and map them to the SOC framework (SOC 2) or control objectives (SOC 1). Then document your management’s narrative of your control environment (aka the “Description of the Environment”) to describe who you are, your product/service and the key control processes in place.
3. Evaluate your readiness
Before the SOC audit begins, you have the opportunity to assess your readiness. Are you able to prove your internal controls are doing what you say they are? Do you keep evidence of all activities? Do you retain logs or other types of evidence for the reporting period you intend the SOC audit to cover?
Speaking of the reporting period, which would be best for your customer base? A Type 1 report or a Type 2 report?
In a Type 1 report, the service auditor reports on the fairness of the description of a service organization’s system and on the ability of the design of its controls to achieve the related control objectives or criteria included as of a specified date.
In a Type 2 report, the auditor reports on everything in a Type 1 report and then also includes an opinion on the operating effectiveness of the controls to achieve the related control objectives or criteria included throughout a specified period.
Type 2 audits can be more intensive. However, they may provide user entities with greater assurance on the effectiveness of the service organizations’ internal controls.
It’s most common for organizations to undergo a Type 1 audit for its first SOC audit. Control deviationscan then be used to strengthen the controls in place prior to undergoing the more extensive Type 2 audit.
4. The SOC audit in action
Now that you’re prepared, what will the actual SOC audit be like?
We’ll speak from our experience as service auditors.
First there are the walkthroughs, which typically require three days on site. Wipfli interviews control owners to understand the identified processes and what evidence is available for testing. After the walkthroughs, we provide management with two detailed request lists to be filled prior to testing.
The preliminary document request list identifies documents that we will be using during our testing process. Certain documents can be gathered prior to the on-site visit, while others will be requested while on site.
The interview request list will identify which business areas the needed interviews will cover, as well as the estimated amount of time required for each interview. The service organization is responsible for identifying the employees that are most appropriate for the interviews and scheduling times for the interviews during the service auditor’s on-site visit.
5. The testing process
Testing is typically five days, and what’s involved differs based on whether you’re undergoing a Type 1 or Type 2 audit.
For a Type 1 audit, we ask for evidence to prove controls are in place as of the date of the SOC report. This may require evidence such as screenshots showing passwords are configured appropriately on key systems, or a completed user access request form to prove that management has a process in place to document system access needs and manager approval of access.
For a Type 2 audit, we ask for evidence to prove that the controls were operating effectively throughout the entire reporting period. Evidence like this may involve a selected sample of employees hired throughout the entire period and their completed user access request forms.
At the end of the week, we hold an exit meeting. During the exit meeting, we review known report findings and management comments with the service organization, communicate outstanding items that have not been provided by the client, and estimate when the service organization can expect their report to be issued. The exit meeting also provides an opportunity for members of the service organization to ask questions or discuss any business concerns.
Are you ready for your SOC audit?
If you have questions about how to prepare for your first SOC audit, Wipfli’s SOC auditors are ready to answer them. Our professionals have extensive experience performing SOC audits for service organizations of all types. Learn more here.
Or continue on and read more about SOC audits:
Do I need a SOC audit? And do I need more than one?
Tips for passing a SOC audit