Recently, the AICPA published the article “Top 10 Tips for CPAs Performing a Service Organization Control (SOC) Engagement.” This inspired us to adapt this list into our own top 10 tips for companies considering a SOC report.
1.Who should perform a SOC readiness assessment?
Does your company have mature controls and procedures in place? Do you have risks in your business that have not been addressed by a control? These questions can be answered through a readiness assessment.
2.Should a company issue a SOC 1 or a SOC 2 report?
Each report has a different subject matter. The SOC 1 focuses on controls relevant to internal controls over financial reporting. The SOC 2 focuses on controls relevant to security, availability, processing integrity, confidentiality and privacy.
3.Consider the additional benefits of the SOC 2 report.
In today’s world, with security and credit card breaches all over the news, the SOC 2 gives additional comfort to your customers over the high risk areas like security, confidentiality, and privacy. Many entities have both a SOC 1 and a SOC 2 report.
4.Evaluate the skills and experience of the auditors.
When choosing a firm to perform your SOC report, consider their experience in systems, control assessment and your specific industry. If performing a SOC 2, consider the specific IT skills of the auditors, since the SOC 2 reports are primarily focused on information technology controls.
5.Understand the opinion that will be issued at the completion of the SOC report.
An “unqualified” opinion means that the controls in place are designed and operating effectively in order to meet the control objectives described in the report. Exceptions might exist, but the control objectives are still met. A “qualified” opinion means that the controls were not designed or operating effectively. The opinion issued in the report is not a “pass” or “fail.” Obtaining a SOC report is not a certification, and it does not mean the entity is “SOC compliant.” An unqualified opinion in a SOC report will eliminate the need for your customers to come on site to perform their own testing at your organization.
6.Consider subservice organizations.
If you use a subservice organization, such as a company for data center hosting, you will need to decide if you want to include their controls in the scope of your report (the inclusive method) or exclude the controls in their environment (the carve-out method).
7.Consider the period to be covered by the SOC report.
Most reports cover between six and twelve months. The majority of the period covered should correspond with your customer’s fiscal year ends.
8.Understand the audience and use of the SOC report.
SOC reports are intended to be used by your customers and their auditors. The report will eliminate the need for your customer’s auditors to come on site to test your controls.
9.What happens when an exception/issue is found?
When testing exceptions are identified, management should provide responses to the exception, identifying any mitigating controls and explain the process to remediate.
10.Consider user entity controls.
Your customers will need to have certain complementary controls in place in their organization to rely on the controls in your SOC report. These “user complementary controls” should be listed in your SOC report.
Schneider Downs specializes in SOC engagements and has extensive experience in most service organization industries. For more information, contact Steve Thompson at Sthompson@schneiderdowns.com or Eric Wright at Ewright@schneiderdowns.com or visit the SOC section of our website at www.schneiderdowns.com.
© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.