Are You Ready for a SOC Report? The Two Biggest Pitfalls: Process & People
April 9, 2018
Since you’re reading this blog post, there’s a good chance you’re already contemplating a System and Organization Controls (SOC) report for your organization. Maybe a client asked for one; maybe an RFP requires it; or maybe, you see it as a tool to improve your own operations or to distinguish your organization from its competitors.
There are several different types and sub-types of SOC reports,* but they are all based on the same universal obligation: even though a business might outsource third party services, it cannot ignore internal financial-reporting and/or data-security responsibilities. SOC reports are intended to evidence whether the company that’s performing the work (known in SOC parlance as the “service organization”) has sufficient policies, procedures and controls in place to meet the standards required of the AICPA.
SOC reports also share two major pitfalls. The report is the end result of a SOC audit, but treating the audit as its starting point can be a costly and time-consuming mistake. The audit will be faster, more efficient and more helpful to your company with some advance preparation involving your process and your people.
PROCESS: Formalization is Key
SOC reports differ in purpose and scope, but they share a common process. The auditor evaluates a service organization’s documented controls on three points: First, is the control reasonably described in a document? Next, Is the control effectively designed – that is, based on the description, can it be expected to accomplish its stated goal? And, finally, is it operating effectively?
Failure to have effective controls in place is an obvious pitfall. Less obvious, but no less problematic, is having a policy that hasn’t been formalized, or that has insufficient or missing documentation.
Formalization is key. It is not enough to say “Yes, we do (X, Y or Z) throughout the process.” Auditors not only require evidence of what the control is, but also documentation about when and how it was adopted by management.
From a SOC auditor’s perspective, if it isn’t documented, it doesn’t exist. And if it doesn’t exist, it can’t be analyzed and it can’t be tested. The more iterations the policy must go through before the Service Auditor can test it, the longer the process will take – and the greater the impact on your organization’s bottom line.
Especially when entering your first SOC examination, it’s a good idea to work with your auditor to perform an initial readiness assessment, allowing you to remediate any gaps prior to the start of the reporting process and identify areas where additional policy documentation is necessary. Much of the initial assessment can be leveraged for the SOC report, making it a good investment.
PEOPLE: Importance of a Champion
SOC audits require input from people across the organization over time, and the number and duration will increase with the audit’s scope. It’s imperative to have a champion within the organization – one point-person who understands the process and is committed to its success, and who can facilitate and streamline the transfer of knowledge throughout the audit.
The pitfall is not having a champion internally to work alongside the SOC audit team and assist in ensuring timeliness of completing the audit.
However, this is not just a matter of easier communication. The Champion can also educate others in the organization about what the SOC auditor is doing, what the report will show and what benefits it will have. For example, even if your organization is only responding to a client demand, the SOC report can improve operational performance by ensuring that your internal control processes are efficient, consistent, and documented.
To get the most out of a SOC audit, your organization needs buy-in, not only from management but also from the people performing the controls. If they don’t understand why the auditor is there and what the report will show, they won’t correlate it to operational efficiency or improved performance. Beyond streamlining communication, your Champion can help get that buy-in.
*We will discuss the different categories and sub-types of SOC reports in a later blog post, directed to the user entity. If you’d like more information now, please read our e-book.
If you’d like to discuss how our team can help with your SOC audit needs, please contact us here.