SOC Readiness and Preparation
A SOC (System and Organization Controls) report can elevate your organization’s customer confidence by providing assurance on the controls in place that protect their systems or data you manage or host. A readiness assessment will provide you with an independent evaluation of your current control structure so your management team can make informed decisions about your control objectives and prepare for a successful SOC examination.
As a service organization, you can go for one of the 3 options below depending upon your customer needs:
A SOC 1 Report (Service Organization Controls Report) – which is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting (ICFR). This is the report which you would have previously considered to be the standard SAS70 (or SSAE 16) but now falls under SSAE18 guidance.
A SOC 2 Report – based on Trust Service Principles, this is a report that is intended for your customers that need information and assurance about your controls affect the security, availability, or processing integrity, confidentiality and privacy of the systems that your organization uses to process customers’ data.
A SOC 3 Report – also based on Trust Service Principles, WebTrust and SysTrust, this report is similar to a SOC2 but can be distributed freely and only reports on your organizations achievement of Trust Services Criteria (no description of tests results or opinion on description of system). This report can be a good for marketing purposes.
When trying to determine whether your organization needs a SOC 1, SOC 2, or SOC 3, ask the following:
Does your service affect a client’s financial reporting? A SOC 1 would apply to you.
Does your service impact a client’s processing activity only or you want to be evaluated on the Trust Service Principles? SOC 2 and SOC 3 reports would work.
At Maverick, we can take your organization through the following readiness preparation steps:
Determine the scope of your audit – our consultants will determine which Trust Service Principles or financial controls fall within the scope of your audit, based on the expectations of customers and other stakeholders
Write out Policies and Procedures – developing and writing policies is paramount since your written rules and policies are what CPAs use as your standard for auditing for SOC attestation. We will work closely with your management to develop relevant policies
Identify risks, control objectives and perform a controls assessment – we evaluate the relevant risks; help your management to identify controls in place or are missing and prepare necessary documentation to evaluate the control design and effectiveness
Report on the results of assessment – Our final report includes a summary of all the controls tested, observations and gaps noted and a remediation plan for management to mitigate those gaps.
Interface with your SOC auditors – we also help bridge the gap between the management and your organizations SOC auditors by becoming essentially a “management’s extension” or a face to your auditors.