Who takes responsibility for a Service Organization Control (SOC) audit?
Yes, the title gave away the answer a bit. Although the responsibility for the completion of a SOC audit will rest with the board of directors and can be delegated to a key member of management (e.g. controller), an organization’s internal audit department (IA) is in the best position to do the leg work to prepare the company for a successful SOC audit.
IA should already be familiar with some accounting processes applicable in a SOC. The main areas where IA will have familiarity are control objectives regarding transaction processing integrity. Often IA has been tasked with reviewing the transaction processing of some other department. They may conduct random audits of that department’s activities or select activities with a specific criteria, such as a dollar threshold or transactions handled by new employees.
For control objectives regarding network security, data backup, software changes, etc., IA may not be as familiar with applicable processes. However, IA typically is a) trained to select transactions using sampling methods and risk, and then to evaluate those transactions and formulate a report; b) understands control terminology and concepts such as automated versus manual controls and the differences among preventive, detective, and corrective controls; and c) understands audit documentation standards. These methodologies, concepts, and competencies can be applied to all control objective areas. The following example demonstrates how sampling method (method), control concepts (concept), and documentation competency (competency) can be relevant.
Take the control objective “controls provide reasonable assurance that data is backed up regularly.” An identified control in this area could be that a system backup is automatically run each night to tape and a log is generated showing successful completion or potential errors. IA understands that part of this control happens automatically, so they observe a single instance of the log generated by the system (method – check). However, they also understand part of this control is manual and corrective, i.e. after the log is automatically generated, an employee must then review the log manually and resolve/correct errors (concept – check). Finally, to prove the control occurred there must be documentation, so IA will recommend that the employee charged with resolution documents this event (competency – check).
As IA follows this process for each control objective and identified control, they are preparing an effective and documented set of controls which will allow the company to have a successful SOC audit. For more information on SOC Audits or for a free 2-hour consultation to see if a SOC audit is right for your organization, contact Andrew Wan today.