5 Steps for an Auditor to Prepare for a SOC Report


Imagine this, it's a late Wednesday afternoon and you are wrapping up your previous SOC engagement while simultaneously working on your current engagement. A check of your upcoming schedule reveals that next week, yet another SOC engagement for a client in your area looms. Juggling multiple engagements can be tricky, but must less so if there’s a tried and true process that’s become routine. Here are five easy steps to help an auditor prepare for a SOC engagement.

1. Perhaps the most elemental step you can take before starting a new audit engagement is to educate yourself about the client. 
In order to deliver the best possible service, it’s vital to be familiar with our client's business, the environment they operate in, and their service offerings. There’s no better way to learn that than by going straight to the source, so visit to the client's website, and read up on their mission statement and any other literature they’ve published about their business and industry, including their products and services offered. If it’s available, also take time to review the prior year SOC report, which will contain a wealth of information about the client's background and in-scope service that will help you gain a high-level, specific understanding of the client. 

2. If your firm performed the previous audit, request access to any documents the client previously completed regarding their environment.
In most cases, marketing brochures, a documented system description, process narratives, a prior year information request list, or the executed contract can help with understanding the scope of the audit, and the environment in question. For instance, regarding SOC 2 examinations, the executed contract can provide details on which categories are included in the scope, and it might also outline examination date or examination period, project deliverables, and timing of audit. A look at the documented systems description can help shed light on the technologies operating in the client's environment that affect the systems/services in-scope for the audit. In addition, the description can provide valuable information regarding processes, data used and supported by the system, third party vendors (or subservice organizations) that are either included or carved-out, and the major departments within the organization necessary to meet the commitments made to the customer and ensure the delivery of the service offering.

3. If you are engaged on a recurring client, review the prior year testing memos.
This simple task will help you get familiarized with the controls operating at the client for the in-scope system(s). Reviewing the memos will also provide a better idea of the testing needed to meet each control for the criterion or objective. Make sure to communicate with management regarding any known changes or updates made to the environment in order to understand if there are any new or updated controls. On the other hand, if you are engaged on a first-year audit, prepare a set of questions to ask the client during on-site interviews based on the criterion or objective. Use the knowledge gained by reviewing the executed contract and system description questionnaire to identify the environment you are auditing and applicable controls. Similar SOC reports completed from other clients in the same industry, or with similar characteristics to those presented by your client, might provide ideas for good questions to ask of client personnel.  Refinement of control activities will be achieved through the walkthroughs and evidence review performed during fieldwork. 

4. Get familiar with the information request list (IRL).
This will help organize your thought process and compartmentalize the audit into smaller tasks you can check off as you receive and review evidence during fieldwork. It’ll also help draw a link between the evidence requested and the controls to be tested. Being familiar with the IRL will also help you identify if any requests need to be added in order to test the agreed upon scope. This kind of  understanding of the IRL will pay dividends during the audit, as it will facilitate the communication between auditor and client. You will be able to speak to specific pieces of evidence using its reference number, and ensure that both sides are talking about the same item. It’s also important to know how often you should send updated IRLs to the client, how the evidence will be collected, and if you will schedule status meetings to go over follow up items and pending IRL requests. This will help you set a good baseline of communication between you, your client, and your team. Make sure to coordinate with your team and the client regarding the logistics to be followed during fieldwork.

5. Finally, ask or volunteer to prepare engagement planning activities, such as the kick-off meeting agenda.
This document will be handy during your first day on-site, since a typical kick-off meeting agenda briefly summarizes the scope of the engagement, the timing, and introduces the team members to the client. Moreover, if you have some free time before starting the on-site audit, start rolling forward or drafting the testing memos. Going through this process will help you front-load some of the work required during the audit, and free up time to review evidence and document your testing later.

As with most things in life, having a simple yet strong process in place is important for both efficiency and personal peace of mind. Auditing is no different, and I hope you have found these suggestions on how to prepare for a SOC engagement informative and helpful. Speaking from experience, applying these simple steps to each new engagement has helped make what can sometimes be a packed schedule seem straightforward and simpler than previously thought.

Previous Article
Rocky Mountain Information Security Conference 2018
Rocky Mountain Information Security Conference 2018

Join Schellman at the 2018 RMISC

Next Article
The Dangers in Perpetuating a Culture of Risk Acceptance
The Dangers in Perpetuating a Culture of Risk Acceptance

This article details the prevalence of risk acceptance within organizations, why IT security dep...


Subscribe now
to receive content updates once a week

First Name
Error - something went wrong!