Skip to content

Insights

The SOC 2 Readiness Assessment – Process and Expectations

Service organizations may undergo SOC 2 audits for a number of reasons. Most organizations go through the SOC 2 reporting due to a requirement from user entities as part of their vendor risk management program. The SOC 2 audit report is an examination of the service organization’s design and operating effectiveness of the controls relevant to the AICPA Trust Services Criteria, providing the user entities the level of assurance needed relevant to the design and operating effectiveness of the service organization controls.

The Readiness Assessment Process

The very first step in preparing for a service organization’s first SOC 2 audit is to complete a readiness assessment. The readiness assessment is typically performed by the audit firm that is chosen by the service organization to perform the SOC 2 audit. The purpose of the readiness assessment is to perform an initial evaluation of the service organization’s current internal controls and determine if they are sufficient to meet the AICPA Trust Services Criteria. The readiness assessment is performed prior to the initiation of the SOC 2 reporting period.

The readiness assessment can effectively be separated into four distinct phases.

  1. Selecting the Trust Services Criteria and Defining the Scope
  2. Identifying and Mapping of Controls to the Trust Service Criteria
  3. Gap Analysis and Remediation
  4. Description of the System and Documentation Evaluation

Selecting the Trust Services Criteria and Defining the Scope

The SOC 2 audit report provides an opinion on the design and operating effectiveness of controls to meet the AICPA Trust Services Criteria framework. The first step in the readiness assessment is to identify the applicable AICPA Trust Service Criteria that are applicable to the services provided by the service organization. The AICPA Trust Services Criteria framework defines five categories and within each of those categories are multiple criteria that must be met to satisfy the objectives for the category. The categories are Security, Availability, Processing Integrity, Confidentiality, and Privacy. The AICPA defines Security as the baseline category and the Security category is required in all SOC 2 reports. The service organization should evaluate, in collaboration with the audit firm chosen for the readiness assessment, the appropriate trust services criteria categories to be included in the SOC 2 audit based upon services provided and commitments to customers.

During the scoping process of the readiness assessment, the service organization will also outline the boundaries of the system included in the scope of the SOC 2 audit. It is important to note that the SOC 2 audit scope does not cover the entire organization’s system but defines a specific system that can be connected to one or more service lines that are provided to the user entities. This phase of scoping requires the service organization to define specifically what services are going to be included in the SOC 2 audit.

Identifying and Mapping of Controls to the Trust Service Criteria

Once the relevant trust services criteria categories and the scope and boundaries of the system being subject to the SOC 2 audit have been identified, the next step is to identify and map the service organization’s controls to the trust services criteria. At this phase, the audit firm performing the readiness assessment collaborates with service organization to identify the controls currently in place at your organization and map those controls to appropriate trust services criteria framework. The objective during this phase of the readiness assessment is to determine if the service organization’s current controls are sufficiently designed to satisfy each of the trust services criteria.

The identification and mapping phase of the readiness assessment is the most intensive of the 4 phases. The service organization can expect this phase to require substantial resources given that the internal controls required to meet the various trust services criteria often require employees from multiple departments and various seniority levels to participate in the evaluation meetings with the audit firm.

Gap Analysis and Remediation

At the completion of the identification and mapping phase, the service organization and audit firm will have identified gaps in the design of the internal controls necessary to meet each of the applicable trust services criteria. Upon identification of the gaps, the service organization can work with the audit firm in an advisory capacity to determine the appropriate remediation of the gaps. Remediation typically includes the service organization implementing additional controls or enhancing current controls to sufficiently meet the trust services criteria. It is important to note that the audit firm performing the readiness assessment and SOC 2 audit must be incredibly careful not to cross the line and impair independence. All SOC 2 internal controls are the responsibility of the service organization’s management and not the audit firm performing the SOC 2 audit.

Description of the System (Narrative) and Documentation Evaluation

The final phase in the process involves two steps and includes drafting the description of the system (narrative) and the review of audit documentation. The first step is drafting the description of the system for the SOC 2 audit report. The description of the system is a document that provides detailed information on the background of the service organization, scope and boundaries of the system, and detailed description of all relevant processes and controls that meet the trust services criteria. The description of the system should clearly outline all the components within scope and all controls that are included in the SOC 2 should be sufficiently described in the description of the system.

The second step noted above in the final phase of the readiness assessment is for the audit firm to complete walk-throughs of all controls/processes at the service organization. The walk-through process verifies that the controls identified to meet the relevant trust services criteria have been adequately implemented and documented. After the audit firm is convinced, the controls are in place and sufficient evidence exists to verify the operating effectiveness of the controls, the actual period for the SOC 2 audit report can be discussed.

This is a look at the four phases of a typical SOC 2 readiness assessment however the expectations and processes for each phase can vary for each service organization. McKonly & Asbury’s SOC team is available to assist your service organization through the readiness assessment and SOC 2 audit. For more information, be sure to visit our SOC & Technology service page and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA with further questions regarding SOC 2 reporting and our services.

About the Author

Josh Bantz

Josh joined McKonly & Asbury in 2006 and is currently a Director with the firm. He is a key member of the firm’s Audit & Assurance Segment, primarily working with clients in the firm’s Service Organization Controls (SOC) Practice.… Read more

Related Services

Subscribe to Our Newsletter