A SOC examination (SOC 1/SSAE 16, SOC 2 and SOC 3) is often requested by organizations (“user entities”) that receive significant services from a service organization and their auditors (“user auditors”). The following key steps will help service organizations to prepare for a SOC examination:
• Partner with a firm that specializes in performing SOC examinations.
• Conduct a risk assessment to identify risks associated with services provided.
• Determine the service areas that will be covered, taking into consideration:
- Who the user entities are
- What controls are relevant to users
- What controls/service areas are required by users
• Set the testing locations and parameters.
• Identify the control objectives and activities and consider risks that threaten the achievement of the control objectives.
• Establish the proper examination period (match with user needs).
• Ensure that there is proper evidence to support controls to be tested.
• Consider the impact of system changes on ability to retain evidence.
• Assess the control environment for sustainability.
• Consider and incorporate changes in processes, systems and the control environment into the description of the system.
The following are additional steps that service organizations should consider during the SOC examination process:
• Conduct a self-assessment or readiness assessment to determine whether controls are in place and properly designed.
• Appoint one or two personnel to facilitate coordination of the SOC examination procedures and documentation requests.
• Train service organization employees to communicate the importance of the examination, set expectations for the examination, build awareness of the examination requirements and support a control-minded culture.
Please contact Schneider Downs to learn more about our SOC examination service offerings. Our experienced and proven group of professionals who specialize in reporting on controls at service organizations is composed of multidisciplinary professionals experienced in providing audit and attest services, internal audit and risk advisory services, and IT audit services.
© 2012 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter