SOC Controls: More Isn’t Always Better
Are you in the process of developing and documenting controls for your SOC 1 or SOC 2 report? Maybe you already have a report and controls in place that you have audited each year. In either case, have you given thought to the number of controls that are tested and included in your report each period? Here are a few reasons why you should. When it comes to SOC controls, more isn’t always better. Limiting the number of controls that need to be tested can possibly save your company time and money.
The first matter to address related to controls in your SOC report is coverage. If your company has a SOC 1 report, you have a bit more control over this factor. Your organization has identified the control objectives that are relevant to the service or system being provided. Therefore, the controls that are identified should be limited in scope to the specific control objectives identified. For a SOC 2 report, the scope is pre-determined by minimum control criteria which must be met to fulfill the principles that your report addresses. SOC 2 controls are more extensive as they must meet the AICPA Trust Services Criteria.
Scope creep is something to keep an eye out for. Regardless of whether you are doing a SOC 1 or a SOC 2 report, it is important to make sure that controls within your report are relevant to only the system or service to which your report relates. Make sure that you have not inadvertently included controls that have nothing, or only peripherally, to do with your system or service.
You may be thinking if I am already performing certain controls, shouldn’t I just include them in our company’s report? In most cases, this is a great idea. You get the benefit of including control with no additional work for your company. There are some exceptions. If the control is in place, but not well-documented, and implementing and maintaining evidence will be time-consuming, it may make sense to not include that control. Another instance that including the control may not make sense is when the control objective or control criteria are already fully covered, and therefore, the control isn’t needed to fulfill coverage requirements.
Quality versus Quantity
Finally, there is the whole quality versus quantity discussion. The readers of your report are much more interested in the strength and applicability of your controls than the sheer quantity of them. It might be useful to take a critical look at your controls by control objective or control criteria and determine if they are all providing valuable information to your readers. Begin by focusing on controls that fulfill multiple control objectives or criteria. These controls result in time and costs savings as the evidence only needs to be produced once and tested once but is used throughout your report to support various control objectives or criteria.
Unfortunately, there is no standard number of controls and no standard types of controls that will fit all situations. Each company is different. The number and types of controls will vary based on whether controls are manual or automated, what type of systems in place, and the number of individuals available to perform the controls.
If your company is considering a SOC report or has questions about the quantity and quality of your SOC controls, please contact our team. We are happy to help answer any questions to improve your SOC report or determine if a SOC report would be useful for your company.