SOC Control Optimization and Efficiencies

If you currently have a SOC examination performed, how often do you or your auditors review each control to make sure they are up to date and mitigate the risk as intended?

If this is not part of your annual process, it should be. Not only can this help the auditors have a better understanding of the controls, but it can help identify opportunities for new controls, system controls, determine proper control ownership and potentially centralize controls within a department—all of which will help make the SOC examination process run smoother for everyone involved.  This exercise might appear to add time to the overall SOC process, but this will help optimize your control set and create efficiencies that over time should make the overall time investment less for your organization.

When analyzing your control activities, think about what risks the control is designed to mitigate. The control will be performed either manually or systematically to prevent that risk or detect instances of non-conformity. This will help identify what controls are mitigating the key risks associated with the service you are performing for your clients and can help reduce and streamline the controls included within the scope of the SOC examination. It is helpful to assign a value to each control based on the risk the control is designed to mitigate, which will identify what the key controls actually are.

As systems keep evolving, manual detective controls can potentially be replaced with systematic preventative controls if the system controls are properly designed and are mitigating the majority of the risk. Taking advantage of system controls is one aspect of control optimization to drive efficiencies in your SOC examination process. This analysis should be done in conjunction with the risk identification process when assessing the controls that the risks are designed to mitigate. While analyzing the latter, consider where there are multiple controls to mitigate the same risk, as this is an opportunity to analyze the strength of those controls. Also, question whether all these controls are necessary to mitigate the associated risk. Prior to removing any controls, you must consider if the control objective, in regards to a SOC 1, or the Trust Services Criteria (TSC), in regards to a SOC 2, can be satisfied by the remaining controls under that control objective or TSC.

Control optimization should help reduce the amount of time that control owners at your organization spend pulling documentation for outdated manual controls and reduce the time the auditors spend testing the control and asking follow up questions. Another way to drive more efficiencies for your organization would be to appoint one or two employees who will be responsible for ensuring all documentation requested by your auditors is provided completely and timely. This is especially helpful when there are multiple departments or control owners involved.  It is also beneficial to ensure that the documentation to support your control set is easily accessible as well. These simple concepts will help streamline the process and provide fewer interruptions to your day-to-day operations during the SOC examination process. 

For more information on SOC efficiencies and control optimization or how Schneider Downs can assist in strengthening controls or identifying efficiencies please reach out to contactSD@schneiderdowns.com

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

SSAE 18/SOC BY Eric Davis
SOC Control Optimization and Efficiencies
SOC 2 Examinations - Keys to Success
Five Questions to Assist With Identifying SOC Report Scope
SOC 2 Reports: Common Control Exceptions and How to Avoid Them
SOC 2 Examinations - What Are the Trust Services Criteria and Categories?
How to Decide if a Type 1 or Type 2 SOC Report is Right for Your Organization

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102