Here are five steps to help successfully prepare:
1. Validate the Nature of the Request.
Does your client base understand the various SOC reporting options and what they are asking of your organization from a compliance reporting perspective? Is there a connection between the services that you provide to your clients and any impact those services may have on the internal controls over financial reporting (ICFR) of your clients, or are you considering providing assurance over the control processes of your services that are relevant to security, availability, processing integrity, confidentiality, and/or privacy? The SOC 1 report can oftentimes be misunderstood or misused by the general public as a generic reference to third party examinations. There are misconceptions in the marketplace; help prevent them.
2. Understand the Trust Service Categories.
Experience has shown that the best way to reach an effective solution is by considering the needs of customers and other interested parties, also known as report users or user entities. First, communicating and determining the information the report users will want, need, or expect should help determine the best trust service categories (TSC) to include in the scope of the SOC 2 report. Also, service organizations must look at their control environment and identify which TSCs are applicable to the in-scope service, based on those criteria. It is common for a potential user entity to request specific TSCs, however, after reviewing the criteria, the organization’s business processes, the services commitments made to users of the system, and the service organization’s control environment, the TSCs may be applicable in the circumstances. For example, a cloud hosting service provider most likely would not need to focus on processing integrity, but it may be vitally relevant for a payroll provider.
3. Determine Your Preparedness.
Once you understand the different TSCs, consider your options and preparedness prior to determining how to proceed. If the system or service to be examined is relatively new and has never been through an assessment, it might be best to start with a readiness assessment and / or Type 1 examination, and then move to a Type 2 examination. Be mindful of the report date and reporting period, as they relate to Type 1 and Type 2; respectively.
4. Identify Key Personnel within Your Organization.
This person(s) will be responsible for the overall assessment effort. Determine whether your organization has the bandwidth necessary to provide the time and resources required of the examination. Although not mandatory, it is often helpful to assign an individual within your organization with audit and / or compliance experience to serve as the primary internal resource, and liaison to the external auditors.
5. Contract and Start Planning.
It is necessary to perform due diligence when selecting your service auditor. Speak with at least three different firms. Confirm that the firms have the proper licensing and credentials to operate in the state(s) that your services are located, have skilled and credentialed personnel, and are a good fit overall with your organization. Experience really matters here, and a primary consideration is how experienced the personnel are, not the firm. Remember, the least costly firm is not always the best option.
Some questions to ask:
- How many SOC 2 engagements have you performed as a company?
- How many SOC 2 engagements have been performed for other companies in your industry?
- How much experience do your personnel have in performing SOC 2 engagements? Are they full-time employees or subcontractors?
- How do you provide pricing, billable hours or fixed-fee?
A properly planned engagement with an experienced audit firm will help your SOC 2 examination be successful.
About the AuthorMore Content by Stephen Halbrook