November 3, 2025
The SOC (System and Organization Controls) audit process offers a structured approach to evaluating the controls and processes of a service organization. This ensures that a service organization’s data is handled securely and efficiently, providing peace of mind to stakeholders. Below is a detailed look at the typical steps involved in the SOC audit process.
1. Preparation Phase
If you are a new service organization interested in conducting a SOC audit with Larson & Company, the process begins with a readiness assessment. During this meeting, we discuss the system the service organization wishes to audit and Larson’s audit process. After this meeting, Larson produces an assessment report which contains recommendations for remediation and a quote for the work. If proceeding, Larson submits an engagement letter to formalize the engagement terms. This letter outlines the scope of the SOC audit, the dates of the SOC period, the selected criteria of the audit (criteria may include security, availability, confidentiality, privacy, and/or process integrity), and the audit cost.
Scheduling and Planning:
Once the service organization has signed the Engagement Letter, Larson’s SOC team will help the organization identify controls that meet the SOC criteria, set up a request list and begin scheduling calls for control observations, typically six weeks before the SOC period begins. During this preparation phase, the Larson team will help answer questions and stay in frequent contact with the organization.
Audit Kickoff Meeting:
Larson’s SOC team will hold the audit kickoff meeting with the service organization a week before testing begins. This meeting helps introduce team members, clarify roles of the audit team and service organization contacts, confirm live call meetings, and address any questions or concerns the service organization may have about the upcoming audit.
The core of the SOC audit process is the testing phase, where Larson’s SOC team tests the service organization’s system based on the selected criteria outlined by the AICPA. For certain SOC controls such as configurations and settings, the SOC team will test the controls during virtual or in-person meetings. For other controls such as policies and documents, the service organization may upload the evidence to an online portal for asynchronous review. Regular status meetings are conducted with the service organization to ensure that the audit is on schedule and to answer any questions or concerns.
After testing concludes, the tested areas are reviewed by an audit manager or partner. Additional questions may arise during this internal review. At the same time, the drafting of the SOC Report takes priority. The SOC report contains four sections: Management’s Assertion (Section I), Independent Service Auditor’s Report (Section II), Description of the System (Section III), and Trust Services Categories, Criteria, and Related Controls (and Testing, in the case of a Type 2 report) (Section IV). The AICPA has provided an illustrative template to aid service organizations in drafting Section III, Description of the System. Larson works closely with the service organization as they draft this description, providing review and feedback. Larson’s SOC team completes Sections II and IV and provides a template for Section I which management signs.
Signed Letters and Fraud Inquiry
Before Larson issues the SOC Report to the service organization, the service organization completes some final inquiries, reviews the draft SOC Report and signs a representation letter, taking responsibility for various aspects of the engagement (for example, asserting that all information provided to the auditor was complete and accurate).
Issuance of Reports:
Once the letters and inquiry are complete, the final reports are issued to the service organization via email.
Service Organization Follow-Up:
Our commitment doesn’t end when the report is issued. We believe in maintaining open lines of communication to ensure your controls continue to operate effectively and improve your organization’s needs. Whether it’s a brief check-in, an online meeting, or a casual lunch a few months down the road, we’re here as a resource for questions, clarification, or future planning.
For additional guidance, contact us today. Larson and Company has developed a suite of SOC Audit services specifically to serve the needs of companies of all sizes in a wide range of industries.