Andrew Wan, CPA, CFE, is the leader of our Emerging Industries and Small to Medium Sized Business Practice Groups. He is an expert in IT auditing services and compliance issues for a wide range of companies.

 

When a service organization has decided they will need a SOC exam performed, they often wonder what the next step should be or how long the exam will take. The SOC exam process can be defined in the following phases:

  1. Control Gap Assessment (2 hours to few days)
  2. Control Design and Implementation (1 to 6 months)
  3. SOC Narrative preparation SOC controls listing (completed during Control design and Implementation phase)
  4. SOC Independent Auditors’ fieldwork (3 days to 3 weeks)
  5. SOC Reporting (1 to 2 months)

More details of each phase are noted below:

  1. Control Gap Assessment

During this phase, service organizations gain understanding of what controls they lack in addressing the various control objectives (SOC 1) or Trust Criteria (SOC2). This can be done with the auditor’s help or can be done by performing their own analysis of what controls exist which address the various criteria. This phase can take a few hours to a few days depending on the size of the organization, depth of the analysis, and the complexity of the systems.

Larson & Company provides a free 2-hour initial SOC readiness assessment to help identify any control gaps a service organization may need to correct and any control design deficiencies. The most commonly identified control gap for a company preparing for a SOC exam for the first time relates to the documentation relating to formalizing policies or documenting the performance of controls, such as independent review signoffs or approval of code changes before migration to the production environment. This assessment will also provide the auditor detailed information on the number and type of controls related to the SOC exam, allowing the auditor to then provide a more detailed analysis to determine the nature, timing, and extent of testing required for the SOC exam and provide the service organization a more accurate engagement fee estimate for the exam.

 

  1. Control Design and Implementation

Once the service organization understands the areas where controls may be lacking as a result of the control gap assessment performed, they are then ready to design and implement these controls. It is important to note that besides the mere deployment of a procedures, a well-designed control should also incorporate the review and documentation of procedures. For example, if an entity deploys a new intrusion detection system, the control should also be coupled with notification of appropriate parties, review by appropriate parties, as well as proper documentation of incidents and resulting plans to mitigate incidents. This phase usually takes about 1 month to 6 months depending on the number of controls that need to be implemented and their complexity.

 

  1. SOC Narrative Preparation and List of Controls

As part of the SOC exam, service organizations are also required to prepare their description of the system which will be included as part of the SOC report. This description will include the services being provided by the system, service commitments and system requirements, and a general overview of the system environment, including any subservice organizations or user control considerations. A list of controls is also provided by the service organization to the SOC auditors, mapped to the various criteria or control objectives, so the SOC auditors can begin to plan in detail the nature, extent, and timing of their testing.

This phase of the SOC exam process can be performed during the Control Design and Implementation phase. Although it is ideal for the narrative to be prepared prior to exam fieldwork begining, in practice, this is most likely to be finalized during or after fieldwork as changes in the wording of controls may occur during the testing performed by the auditor.

 

  1. SOC Independent Auditors’ Fieldwork

Once the first three phases are completed and controls are provided to the auditors, the auditors will then be ready to create a list of requests that are needed to begin the exam fieldwork. During the exam fieldwork, auditors will be onsite to conduct various interviews and walkthroughs to observe how controls are functioning, select samples, request additional evidence of controls documentation, and document the results of their testing. Constant communication between the service organization and the auditor during this phase is essential. This ensures a complete understanding of the controls by the auditor and determines whether changes in control descriptions are necessary. It is also essential that all parties understand and agree on the cause and impact of exceptions that may be discovered from testing. The amount of time the auditors will be onsite to perform these tests will be dependent on the complexity of the system and availability of the control documentation necessary for testing, but generally fieldwork lasts between 3 days to 3 weeks.

 

  1. SOC Reporting

Once exam testing is complete, the auditor and the service organization will work together to finish drafting and proofing the report. For SOC 1 Type 2 and SOC 2 Type 2 reports, in accordance with reporting guidelines, any exceptions found by the auditor during testing must be listed in the results of the report. It is not uncommon for exceptions to arise from testing performed. While such exceptions will appear in the results section of the report, as long as exceptions noted are not material enough toindicate a likelihood that the control objective would not be achieved, the auditor’s opinion on the report may still be a “clean” opinion. Management of the service organization may also respond to any exceptions noted from the exam in the report integrated with the report of testing of operating effectiveness or as a separate section of the report. This phase of the SOC exam usually takes about 1 to 2 months.

 

2- hour free SOC Gap Assessment

As one can see from the various, interdependent phases of the SOC exam, preparation is key for a successful exam. It is essential that both parties (auditors and service organizations) have open communication regarding what the scope of the SOC exam is and the necessary requirements to meet commitments.  As mentioned above, Larson provides a 2-hour free initial SOC readiness assessment to help service organizations determine which SOC exam is best for their needs. We also assist service organizations in identifying potential control gaps that a service organization may have. If you would like to take advantage of this free assessment, please contact Andrew Wan at awan@larsco.com or at 801-984-1829.