By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
What can companies do to help contain SOC 2 costs and reduce the audit footprint?
SOC 2 exams are not inexpensive. By the time you add up the time it takes auditors to test the design and operating effectiveness of your controls, between 55 an 75 controls, including all the walk-throughs, getting screenshots, selecting and testing samples, and more, the hours really add up, and as a consequence, so do the bills.
The audit fees, however, are only part of the cost of an audit. The time your team spends occupied by audit requests is time they are not spending on productive tasks building value for your business. We call this hidden cost, the audit footprint. As a firm, we do several things to reduce the audit footprint, but organizations undergoing an audit play a large part in the containment of these costs as well.
So, what are some of the things that organizations can do to help contain these costs and reduce the audit footprint? Most, if not all, of the avoidable time is lost during an audit is spent in follow-up discussions, performing research responsive to follow-up requests, and in email conversations with the auditors.
Even a quick response to an auditor can take the respondent’s mind off the task he/she was working on, creating “switching costs.” Switching costs come in two forms:
- Lost time – Taking your mind off a task to respond to an audit email is only part of the time consumed. Even a 5-minute email to an auditor answering a question could take someone out of their work mentally for much longer than that. Programmers especially can get mentally very deep into their code. Constantly thinking about the code they type and how it interfaces with other parts of the application can occupy every bit of concentration one has to offer. Taking time to send even a short email can wreck that concentration.
- Mistakes – Switching between tasks can also lead to mistakes. Just as distracted driving can lead to car accidents, being distracted by audit requests can lead to mistakes in regular work.
The best thing an organization can do to reduce the impact of an audit on their company is to reduce the follow-up questions from auditors. This is best accomplished through having well designed controls that consistently execute with proper documentation. When you do have to communicate, be clear but thorough, and if the topic is complex, a quick discussion can often resolve the matter in a fraction of the time.
Get in the mind of the auditor
Auditors do not want to find testing exceptions, and good auditors do not want to get you. They want workpapers that meet the documentation requirements of the audit standards which they are bound to follow. If you provide them incomplete or confusing documentation, it will generate a follow-up question that will unnecessarily eat up time. It is a good idea to perform a critical self-review of the documents you provide the auditor. Try to put yourself in the shoes of someone who is looking at the documents for the first time. If questions come to mind during this critical self-review, then the documentation should be augmented or additional explanation provided to help prevent further follow-up.
Be forthcoming about testing exceptions
The auditor is not opposing counsel. They are not out to get you. They simply need to ensure their documentation is complete. If you provide documentation that you know will be a testing exception, it is much faster to just acknowledge it rather than to let the auditor discover it. If they discover it, they will usually first ask you for additional information. Many organizations at this point, desperate to avoid an exception, are inclined to throw all sorts of documentation at the auditor to see if anything “sticks.” After extensive back and forth and a lot of wasted time, you’ll almost always end up in the same place.
Execute periodic controls consistently
One area of very avoidable testing exceptions are those controls that occur on a set periodic basis, e.g., monthly, quarterly, annually, etc. These controls frequently fail not because they are complex or time consuming, but just because they happen so infrequently that people simply forget to perform them timely. When they are not performed or performed late, this generates a lot of discussion with auditors that eats away at your time.
A great and inexpensive way to ensure these controls are performed timely is to assign someone the responsibility of being a SOC Champion. Among the SOC Champion’s responsibilities are to create calendar reminders on the control owners’ calendars when these controls should be performed. Additionally, the SOC Champion should follow-up with the control owner to verify that these controls are actually performed. The SOC Champion should be someone with a strong attention to detail who does not mind “bothering” people.
By assigning someone this role, the organization will also demonstrate the importance of complying with their own policies to the rest of the staff, thereby serving to increase the control consciousness of the overall entity, reducing the likelihood of exceptions in other areas.
By ensuring that these periodic controls are performed timely, the organization will significantly reduce the related time-consuming communications with auditors when they are performed late.
Talk through questions on the phone or through a screen sharing call
A picture is worth a thousand word email. If the auditor has a follow-up question, spending time in email to craft the perfect response can take the better part of an afternoon. And even then, the auditor might still have follow-up questions. If you receive an inquiry from the auditor, and the answer is not perfectly straightforward, schedule a call or a screen share. That way you can work through the questions together. Doing this, you can easily turn hours and hours of back and forth emailing into a 30-minute discussion.
Be thorough in communications with the auditor
IT auditors tend to be technology generalists rather than specialists. It is unlikely that your auditor will know the ins and outs of the technology platform and your processes that you have adopted and work with every day. When communicating with auditors, it is important to think about what you are assuming they know. If your communications assume several levels of existing underlying knowledge about your specific tooling and processes, it might be good to explain those other foundational concepts. When this is necessary, it’s probably also a good idea to have a call or a screen share.
SOC exams, including SOC 2 exams, are not inexpensive. The audit fees, however, are only part of the total cost to your organization. A significant part of the cost of a SOC audit is the time the audit takes of you and your team. Fortunately, these are in large part, under your control. By effectively and timely executing controls; communicating clearly and openly with auditors; and taking the complex issues out of email and into phone calls and screen shares, you can reduce a lot of these costs.
Keiter provides SOC Exam and Exam Readiness Services for all types of SOC exams. Our SOC services are provided by our Risk Advisory Services Team, which is led by experienced CPAs, CISAs, and technology professionals with industry experience. Our Risk Advisory Teams services a variety of industries and business types.
Additional SOC Resources
- What are the SOC 2 Trust Services Criteria?
- How long does it take to get a SOC Report?
- Does your service organization need a System and Organization Control (SOC) Report?
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.