Preparing for a Service Organization Control (SOC) Report : Establishing the Examination Requirements and Preparation Tactics


By Heather Haemer

A SOC examination (SOC 1/SSAE 16, SOC 2 and SOC 3) is often requested by organizations (“user entities”) that receive significant services from a service organization and their auditors (“user auditors”). The following key steps will help service organizations to prepare for a SOC examination:

• Partner with a firm that specializes in performing SOC examinations.
• Conduct a risk assessment to identify risks associated with services provided.
• Determine the service areas that will be covered, taking into consideration: 
           - Who the user entities are
           - What controls are relevant to users 
           - What controls/service areas are required by users
• Set the testing locations and parameters.
• Identify the control objectives and activities and consider risks that threaten the achievement of the control objectives.
• Establish the proper examination period (match with user needs).
• Ensure that there is proper evidence to support controls to be tested.
• Consider the impact of system changes on ability to retain evidence.
• Assess the control environment for sustainability.
• Consider and incorporate changes in processes, systems and the control environment into the description of the system.

The following are additional steps that service organizations should consider during the SOC examination process:

• Conduct a self-assessment or readiness assessment to determine whether controls are in place and properly designed.
• Appoint one or two personnel to facilitate coordination of the SOC examination procedures and documentation requests.
• Train service organization employees to communicate the importance of the examination, set expectations for the examination, build awareness of the examination requirements and support a control-minded culture.

Please contact Schneider Downs to learn more about our SOC examination service offerings. Our experienced and proven group of professionals who specialize in reporting on controls at service organizations is composed of multidisciplinary professionals experienced in providing audit and attest services, internal audit and risk advisory services, and IT audit services

© 2012 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.