Authored by Jodi Harris | Principal, Audit Services
Since you’re reading this blog post, there’s a good chance you’re already contemplating a System and Organization Controls (SOC) examination—a process that consists of American Institute of Certified Public Accountants (AICPA) defined audit procedures resulting in the issuance of a SOC report for your organization.
If this is the case, there are a few primary reasons why you might move forward:
- A client asked for one
- A request for proposal (RFP) requires it
- You see it as a tool to improve business operations
- It’s an opportunity to distinguish your organization from its competitors
SOC reports are intended to evidence whether a company performing outsourced services work has sufficient policies, procedures, and controls in place to meet the standards required by the AICPA. The report is the result of a SOC examination. However, treating the examination as the starting point can be a costly and time-consuming mistake.
There are two major components that drive a successful SOC examination: process and people.
With advance preparation around both, the SOC examination will be faster, more efficient, and more helpful to your company.
Process | Formalization is Key
SOC reports differ in purpose and scope but share a common process. The auditor evaluates a service organization’s documented controls on three points:
- Is the control reasonably described in a document?
- Is the control effectively designed – that is, based on the description, can it be expected to accomplish its stated goal?
- Is it operating effectively?
Failure to have effective controls in place is an obvious pitfall. Less obvious, but no less problematic, is having a policy that hasn’t been formalized, or that has insufficient or missing documentation to meet the needs of the organization.
Formalization is key. It is not enough to informally speak to your process. Auditors not only require evidence of what the control is, but also clear documentation about when and how it was adopted by management.
From a SOC auditor’s perspective, if it isn’t documented, it doesn’t exist. And if it doesn’t exist, it can’t be inspected or tested. The more iterations the policy must go through before the Service Auditor can test it, the longer the process will take — which ultimately impacts your organization’s bottom line.
When entering your first SOC examination, it’s a best practice to work with your auditor to perform an initial readiness assessment. This not only ensures a more efficient reporting process, it also enables you to remediate any gaps prior to getting started and identify areas where additional policy or evidentiary documentation is necessary. Much of the initial assessment can then be leveraged for the SOC report, making it a good investment.
People | Importance of a Champion
SOC examinations require input from various people within the organization over time. Depending on the scope of work, that count of people might increase. So, it’s imperative to have a champion within the organization—a designated point-person who understands the process, is committed to timelines and overall success, and can facilitate and streamline the transfer of knowledge throughout the examination process.
However, this is not just a matter of easier communication. The champion can also educate others in the organization about the role of the SOC auditor, inform others about the process, and communicate the outcomes/benefits of the final report. For example, even if your organization is only responding to a client demand, the SOC report can improve operational performance by ensuring that your internal control processes are efficient, consistent, and documented.
To get the most out of a SOC examination, your organization needs buy-in from leadership, management, and those performing the controls. If they don’t understand why the auditor is there and what the report will show, they won’t correlate it to operational efficiency or improved performance. Beyond streamlining communication, your champion can help get that buy-in.
In closing, with the proper process and personnel, a SOC examination will be a seamless initiative that will produce high value for your organization.
Ready to Get Started Now?
If you’d like to discuss how our team can help with your SOC examination needs, contact us to speak with an expert on our SC&H Audit team.
Download our eBook, “A Comprehensive Guide to SOC Reports” to learn additional pertinent and valuable information around SOC examinations, report types, finding the right auditor, and much more.