SOC 1 & SOC 2 Audit Readiness
Reliance on third parties continues to expand within many organizations, whether in the public, private or non-profit sector. Just about ANY third party processor that services the healthcare, life science, technology & communications, public infrastructure, and financial services sector is required to obtain a SOC report (a.k.a., Service Organization Control report) from a public accounting firm. Why? Nearly 30 years ago, the American Institute of Certified Public Accountants (AICPA) developed a service that evaluated the integrity and reliability of certain third party processors (e.g., payroll and benefit processors) in a report called a SAS 70. However, more recent concerns related to security, privacy and confidentiality of sensitive (and not so sensitive) information primarily due to “hacking” has fueled the demand for greater assurance. The AICPA has responded to this demand in the form of SOC 1 and SOC 2 reports. We leverage from our experience in generating over 100 SOC reports for large international accounting firms over the past 10 years, by helping third party processors develop and deliver SOC reports to their customers.
SOC Reporting Readiness Assessment & Remediation – as the saying goes, “think before you act,” and before any third party processor undergoes a SOC 1 or SOC 2 examination, we often recommend a readiness assessment to ensure you will successfully undergo the examination. The uptick in demand for SOC 2 reports and the changes required by the AICPA within SOC 2 reports by mid-2018, will require an assessment of technological, operational, and perhaps financial processes. Logical security, IT operations, program change control, as well as an assessments of the governance structure, risk assessment, communication & information sharing, and monitoring activities conducted by management will require an evaluation, and perhaps improved documentation. More recently, third party processors are coupling their HIPAA or PCI compliance obligations with their SOC 2 report (a.k.a., SOC 2 Plus). All of this requires a broad and deep understanding of SOC reporting – and the implications of HIPAA and PCI compliance. We assist third party processors by identifying “gaps” in their processes, and help to remediate such gaps in a transparent, economic and useful way.
SOC Report Drafting – SOC reports are an important face of third party processors and the image they project to both customers and prospects. What you say is just as important as how you say it, and the processes and controls presented in the section titled “Management’s Description” should be portrayed in a clear manner and create a favorable impression with your customers. Given our experience in developing and crafting SOC reports over the past 10 years, we are very familiar with the language, content and form of SOC reports, and assist our clients in drafting the entire report in an unambiguous and sufficiently thorough way. This saves management the distraction, time and energy in drafting the report themselves, and results in a more efficient effort.
SOC Audit Program Management & Controls Testing – the perceived (and real) risks associated with SOC reports will continue to rise. Revised standards issued by the AICPA will increase the intensity of SOC examinations and “raise the bar” in achieving an unqualified opinion. Consequently, the cost of SOC reporting will also rise. To mitigate these risks and costs, we assist third party processors in managing the SOC examination process by coordinating the exchange of information between management and the independent auditor. We also perform testing of controls on behalf of management whereby the independent auditor will rely on our testing results, which often reduces the overall cost of the SOC examination effort.