By Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner
Part 4 of a 4 Part Series on SOC Reporting
What steps can a Service Organization take to prepare for a System and Organization Control Report?
Most companies do not want to spend money on expenses before they are needed. Similarly, service organizations do not want to spend money on a System and Organization Controls (SOC) report if their customers are not requesting or requiring it. However, if a service organization obtains sensitive data and its target clients are public companies, municipalities, financial services companies, or healthcare companies to name a few, it’s only a matter of time before it is required to obtain a SOC report.
As we discussed in our second article in this series, it can take a service organization substantial time and resources to obtain a SOC report. However, most service organizations don’t start thinking about a SOC report until they receive an RFP or customer agreement with a SOC report requirement. When this happens, the service organization could be reducing its chances of winning the RFP or signing the customer agreement. In all likelihood, at a minimum, the service organization will need to demonstrate that it is in the process of getting a report.
Steps to reduce the time needed to get ready for a SOC report
- Ensure it has implemented strong entity-level controls, such as Code of Ethics policy, job descriptions for all employees, annual performance reviews, and Employee Handbook.
- Perform risk assessments (e.g., enterprise-wide, process level, fraud, and IT)
- Develop policies and procedures
- HR hiring policies
- Finance and operating policies for the services provided to your customers
- IT policies, including Information Security Policy, Bring Your Own Device (BYOD), Acceptable Use, and System Development Life Cycle (SDLC)/Change Management
- Ensure mechanisms are in place, such as intranets or websites to communicate critical information (e.g., policies, terms and conditions) to both internal and external parties.
- Ensure proper segregation of duties has been implemented throughout financial and IT processes. Remember to consider the individual’s access to systems and applications. You can’t just segregate the responsibilities. You also need to segregate their user access.
- Ensure access to key technologies is approved prior to being granted, removed quickly upon termination, and periodically reviewed.
- Maintain documentation to prove to auditors that your controls occurred. In today’s paperless environment, many companies do not want to maintain hard copy documents, which is fine. However, companies must identify ways to evidence that a control procedure was performed.
- Implement procedures to monitor your subservice providers such as obtaining and reviewing SOC reports, having periodic calls/meetings with subservice providers, and monitoring service-level agreements (SLAs) in contracts.
Review a Similar Organization’s SOC Report
Additionally, a service organization can review the SOC report of a similar organization. For example, a service organization obtaining a SOC 2 report can review the SOC 2 report for its data center or cloud provider. Reviewing a similar report can provide you with valuable insights on the details that need to be included in the “Description of the System,” as well as the controls that might need to be in place at your service organization. This will allow the company to start writing its Description of the System and identify potential control gaps.
Want to get a head start on prioritizing your SOC readiness activities? Keiter’s team of Risk Advisory Services professionals can help you. Email | Call: 804.747.0000
Access all of our articles in our SOC Reporting series
- Does your service organization need a System and organization Control (SOC) Report?
- How long does it take to get a SOC Report?
- When to Choose a SOC 1 vs SOC 2 Report
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.