So your stakeholders (e.g. lenders, banks, regulators, clients or prospects) have requested a Service Organization Control (SOC) report, and you’re teeming with questions about what these reports are and how they can help you satisfy their needs. Some of those questions might include:
- What is a SOC examination and what are the differences between SOC 1, SOC 2 and SOC 3 reports?
- How can we prepare for the SOC examination?
- What standards govern SOC examinations?
In these pages, we have tried to clear up some of the misconceptions about SOC reporting (such as the idea that it provides an audit’s level of assurance), as well as take a closer look at how businesses prepare for a SOC examination and the principles and standards that accountants use to determine the procedures necessary to develop an opinion on management’s assertion.
The SOC Report Process
The SOC Report process is a collaborative effort between you and your Auditwerx team to improve systems as well as test controls. Experienced accountants and IT professionals guide you through this process to help you determine what type of report is needed and what controls will be reviewed.
Once you understand what type (or types) of review you need, your engagement team performs a readiness assessment [JH1] and provides you with clear suggestions on any improvements that need to be made. Our goal is not just to verify that your internal controls are adequate; we take every opportunity to suggest enhancements to strengthen your control environment.
Because Auditwerx professionals maintain credentials on both the accounting and technology side we can “speak Geek” by talking technical details with your IT professionals and translating those discussions into “Plain English” and action items that can be understood by those who may not be as knowledgeable about technology.
At the core, we’re not out to mandate seismic shifts in any organization’s systems. If we suggest changes in a system, we explain why the changes are beneficial, in terms that make sense to management, and how the changes should be made, in terms that make sense to IT professionals.
Subhead: 4 Steps to Delivering the Reports You Need[JH2]
Step 1: Planning
The planning process begins with a call in which your Auditwerx team leader describes the SOC report process and helps you determine what services are appropriate for the engagement. Once we have agreed on the scope of the engagement, a second call will clarify the details of the engagement, set expectations, and finalize milestone dates.
Step 2: Preparation
Once these calls are complete, Auditwerx prepares a draft of the engagement plan and submits it to you for review and feedback[JH3] . Upon finalization of the plan, the collection of supporting documentation begins. Your staff compiles the information we will need and uploads it to a secure portal that we provide. The engagement plan lays out a timetable for this part of the process. When the documentation is complete, your Auditwerx team arrives on site to perform the in-person part of the examination.
Step 3: On-Site Testing
At Auditwerx, we place a premium on our clients’ time. We work hard to manage the duration of our on-site testing in order to gather as much of the information we need as possible (with a goal of obtaining all of it) with the lowest possible impact on your business. You will get a detailed itinerary [JH4] prior to your team’s visit. During the visit, the team conducts interviews, performs walk-throughs, and reviews processes and infrastructure as detailed in the plan. If the scope of the examination requires testing of transaction processes, tests of the operational effectiveness of your internal controls will be performed at this time. At the conclusion of the fieldwork, your team leader meets with you to discuss findings and provide recommendations. We share preliminary findings with your leadership team and offer suggestions for improvements.
Step 4: The SOC Report
We strive to deliver the draft report to your leadership within two weeks of the on-site visit. We expect that the entire process, from the signing of the engagement letter to the delivery of a final report, should be complete within eight weeks. Once completed, we provide the final report and any associated deliverables.
By following this process, your Auditwerx team provides the highest quality SOC report in the shortest amount of time necessary and with the least disruption to your business.
[JH1]This may be true for first time issuers. This may/may not be true for a client that has been issuing SOCs.
[JH2]Do these align with our proposal? Shouldn’t they?
[JH3]We set the scope; they don’t “approve”. They get to provide feedback, but when we provide “assurance” we inherently have to determine scope.
[JH4]Is this accurate? They get a PBC, but a detailed itinerary?