Understand your business and services
The services you offer
The key to completing a SOC report that will be useful to your clients is for the auditor to thoroughly understand your company’s array of service offered, and more importantly, those that are subject to the SOC examination. This phase of the readiness assessment narrows the focus of this process and increases efficiencies in our questions and testing, which means less time is required from your valuable staff.
Develop system boundaries
What your clients want to know
Once the “in-scope” services are determined, the next step is to clarify both the processes and systems that support those services in order to establish the system boundaries and what is included in the SOC report. This step further narrows the focus and spotlights only those critical areas that are important to your clients’ comfort while eliminating information not applicable to the services you provide.
Identify control gaps
Giving you a plan to get ready
Once the in-scope services, processes and systems are established, the next step is pinpointing key controls and, even more importantly, any control gaps. Control gaps consist of either controls that are not in-place (and should be) or controls that are ineffective. Identifying control gaps is critical because those gaps will need remediation. The “fix” could include a variety of things such as a new control or simply maintaining audit evidence like log files that are often purged but will need to be maintained over the reporting period.