Let’s be honest, when you embark on the journey to complete a SOC report, it’s probably not by choice, meaning you just want to get it over with. As an auditor, that’s what I love to hear. This article will give you an idea of what to expect.
When people ask how much effort and time goes into issuing a SOC report, I usually start with the dreaded response of “it depends.” It depends on the status of your current control environment, it depends on the scope of the audit, and it depends on what criteria or control objectives you want to include. If your company has little to no internal controls and no written policies and procedures, it typically means the process will take more time and effort compared to those who have an internal audit department. Additionally, if you want the audit to cover the entire company – rather than one department or service line – it adds to the time and effort it may take. Finally, if you are having a SOC 2 report, you need to determine which trust services criteria (TSC) to include, and for a SOC 1, you need to determine which control objectives to include. All of which is discussed during initial meetings with the auditor prior to beginning any work.
In order to reach the end goal of issuing a Type 2 report, you can have one or multiple steps – a Readiness Assessment, Type 1 report, and Type 2 report. Companies are able to go straight to a Type 2 report and forego having any other steps. However, this does come with risk. If you start the Type 2 testing before the other steps, you have the potential for exceptions (that are required to be disclosed in the report) due to no prior validation of controls being in place and operating effectively.
The audit process has always been more successful when there is a person charged with leading the coordination efforts internally. This person maintains the matrix of controls, documentation requirements, and regularly checks that everyone across the organization with a role in the controls is doing what they are supposed to be doing (i.e. completing forms, capturing notes or meeting minutes, etc.). While reading the steps, I suggest thinking about who that individual would be.
SOC Readiness Assessment
As stated before, a SOC Readiness Assessment is not required and does not result in a SOC report, but it is an important step for ensuring controls are in place and that there will not be any gaps when it comes to testing. This step is also an introduction in to what to expect in a SOC report. The goal of this assessment is to determine what controls are in place to satisfy the SOC criteria/control objectives and determine if there are control gaps that the company needs to remediate. The readiness, or gap, assessment could also be performed on your own without the auditor. However, in our experience, the initial examinations go much better when the readiness assessment is conducted with the same auditor’s judgment and opinions in mind.
The readiness assessment process consists mostly of interviews between the auditor and company, as well as obtaining some supporting documentation. For a SOC 1, these meetings will primarily include members of Accounting, Operations, and any other individuals who are involved in the processing of financial information. There will be some discussions with HR and IT but not a significant amount. For a SOC 2, these meetings include members of HR, IT, Software Development, Legal, and Customer Service. Typically, it takes about a week or so of fieldwork to complete the assessment. Do not worry, that is not a week of everyone’s time. Instead, it will require each individual to commit a couple of hours over one or two days.
Once the assessment has been completed, control gaps will be identified and it is now the company’s job to remediate these gaps with help if needed. This is typically the most time-consuming part and can take months depending on the gaps and how much time, money, and effort you are willing to put into resolving them.
SOC Type 1
The difference between a Type 1 report and a Type 2 report is that a Type 1 report only covers the control design and implementation as of a certain date while a Type 2 report covers both the control design/implementation and operating effectiveness over a testing period. Therefore, a Type 1 report will have significantly less testing.
During the readiness assessment, controls were beginning to be finalized and ultimately solidified and documented. It is these controls that the auditor will begin testing during the Type 1 examination. That entails the company providing the auditor with support to prove the controls are in place and designed properly. For example, if you have a control that a new employee’s access to the network is approved prior to being granted, you will provide an example of this whether it is a completed access ticket or a blank access ticket. The auditor wants to become comfortable with stating that the controls are in place so they may request more support. The same individuals involved in the readiness phase will be involved in Type 1 testing and will work with the auditor to provide support.
Another big component of the Type 1 report is the system description. This gives an overview of the in-scope component that is being examined, whether it is a claims payment process or an application. While the system description is ultimately your responsibility to write and maintain, this is often a collaborative effort between the auditors and your company, requiring a significant effort on both parts. However, once you write it, you will not have to write it again, unless something changes within the company and its processes.
You can expect a similar time and effort commitment as seen in the readiness assessment; however, you will not have gaps to remediate at the end. You will only need to focus on the controls operating and being well documented for the Type 2 examination.
SOC Type 2
A Type 2 examination also involves testing of the controls established in the Type 1 report over a period of time, typically a period of 6-months to a year. The end goal is to verify that the controls were operating effectively over the entire period. This means you will want the person charged with leading SOC efforts to check in with everyone across the organization regularly throughout the year to make sure the controls are operating and documentation is captured.
For testing, the auditor will obtain a population of transactions or items that were subject to a control, select a sample, and request support to verify the control was operating. In the previous example of a new employee’s access to the network needing to be approved prior to being granted – the testing would start with you providing the population of new hires from which a sample will be taken, then providing the completed access ticket for each individual selected. The auditor will verify not only the access approval but also verify that the permissions actually granted match those approved in the ticket.
If everyone on the team is diligent and responsive, testing for a Type 2 report will take a week of fieldwork. There will be some commitment beforehand for pulling together items from the auditor’s request list. However, the effort should not be as significant as the readiness assessment and Type 1, where the controls and the description had to be written for the first time.
In all, to have a successful SOC process, it is important to have someone lead the efforts who knows and understands the business. Having great organizational skills, while not required, does help make the process seamless. For this coordinator, it may feel like a full-time job in the beginning, but after the readiness assessment and Type 1 testing are completed, they will move into maintenance mode and it will be more of a part-time role.
Contact us today for more information or to discuss this topic further. GBQ IT Services is one team of builders, breakers, operators and auditors with access to a consortium of 50 experienced IT, cyber and assurance professionals delivering IT risk, cybersecurity and productivity solutions. We build value through IT strategy, protect value with information risk and cybersecurity services, measure value and improve productivity with data analytics and process automation and assure value through IT audit services.
Article written by:
Manager, Information Technology Services