The motives for a SOC 2 will vary among service organizations. The predominant reason a service organization goes through the SOC 2 audit is to satisfy a requirement from either a group of clients or one major client, called user entities in the AICPA SOC 2 guide, is requiring you to have a SOC 2 report. The other benefits of a SOC 2 audit include being able to continue with your normal day-to-day sales to clients requiring a SOC 2 audit and are not limited to stronger internal controls and higher maturity of controls and processes. The benefits your organization sees in just those last two areas should more than justify the cost of an annual SOC 2 audit.
Preparing for a SOC 2 Audit
The next step is preparing for the SOC 2 audit. Depending on the firm you choose, or even the SOC 2 auditor within the firm, this process or preparation will be called either a preassessment or readiness assessment. This assessment is usually performed by the SOC 2 auditor you have chosen. For those of you who have been through other compliance audits in the past, you may be wondering if the same auditor can perform the SOC 2 audit for your service organization while helping you prepare to be audited? The simple answer to that is “yes” they can be the same and usually are, in my experience. The AICPA is the governing body for the SOC 2 audit. The AICPA SOC 2 guide simply says, “When providing assistance to management, the service auditor needs to exercise care that he or she does not make decisions on management’s behalf, which would impair the service auditor’s independence.” When acting as an auditor myself, I take great care to remain objective and independent.
The length of a preassessment or readiness assessment can vary from as short as two months to as long as a year, with an average of four to six months for clients who do not have full time in-house resources working on the preparation for the SOC 2 audit. Our firm is typically able to work with the client at the speed the client is comfortable with. Every organization’s controls are different, and so is the organization’s ability to prepare for the SOC 2 audit.
One of the first steps in the preassessment or readiness assessment is defining scope. Most organizations think that the SOC 2 will cover their whole organization; that is usually a misconception. The scope of the SOC 2 audit will be defined on what services the majority of user entities that will be using the report use from the service organization. This could be one service line or multiple. Organizations could end up with multiple SOC 2 reports for multiple service lines if the user entities for each of the service lines are different. Most likely, those multiple reports will have many of the same controls. According to the AICPA SOC 2 guide “The boundaries of a system addressed by a SOC 2 examination need to be clearly understood, defined, and communicated to report users”. The SOC 2 auditor will work with the service organization to create the boundaries the scope.
AICPA Trust Services Criteria
Initially, a discussion of the control framework will help map current controls and gap analysis to the service organization. This framework, called the AICPA Trust Services Criteria, is based on the COSO framework. There are five categories and under each of those categories multiple criteria that need to be met. The categories are Security, Availability, Processing integrity, Confidentiality, and Privacy. The Security category is mandatory in a SOC 2 audit, and the other categories are optional. Most service organizations new to the SOC 2 audit process will choose to meet the criteria under Security for the first year. This may not be possible if the user entities requesting the SOC 2 report of the service organization define which categories are required. Once current service organizations controls are mapped and a gap analysis is completed, the auditor will work with the service organization’s management to assist in implementing new controls to meet the criteria of the categories selected above. The SOC 2 auditor has to be very careful not to cross the line and impair his or her independence. These new controls need to be discussed, approved and implemented by management. These controls are the responsibility of the service organization’s management and not the SOC 2 auditor.
During the process of meeting the criteria of the categories selected above it usually becomes clear that most service organizations have subservice organizations. Essentially, all subservice organizations are vendors, but not all vendors are subservice organizations. According to the AICPA SOC 2 Guide, “When controls at the vendors are necessary in combination with the service organization’s controls to provide reasonable assurance that the service organization’s service commitments and system requirements are achieved based on the applicable trust services criteria, the vendor is considered a subservice organization.” There are two types of subservice organizations, carved out and inclusive, that have been written about in previous articles. Those organizations and their subsequent controls need to be identified.
Throughout the process of defining controls and figuring out who the subservice organizations are, it will become clear to the service organization that there will be controls at both the user entity and the subservice organization that are required for the service organization to meet its service commitments and system requirements. These controls will need to be documented for the SOC 2 report.
The next step in the process is called the narrative or the description. This is basically a word document that contains information about the subservice organization and identifies all the controls that were defined above to meet the criteria. All the controls identified should be part of the narrative or the description.
Once the steps above are completed the SOC 2 auditor will complete walk throughs of all controls identified to meet the criteria above. After the SOC 2 auditor is convinced the controls are in place, the actual period for the SOC 2 audit can be discussed.
This is a high-level look at the SOC 2 preassessment or readiness assessment and can be very different for each service organization. McKonly & Asbury, LLP would like the opportunity to get your service organization to a level where a SOC 2 audit can be performed. Please contact David Hammarberg, leader of the firm’s SOC, Cybersecurity, Forensic Examination, and Information Technology practices if you would like to discuss your service organizations SOC2.