Over the past few years more and more companies are becoming familiar with the new Service Organization Control audits. This audit (sometimes referred to by its AICPA standard “SSAE 16” which replaces the dated SAS 70 standard) is a more detailed analysis of a company’s internal controls and processes, depending on the type of Service Organization Control (SOC) report required. A SOC audit is often requested by clients of companies that handle sensitive financial information including payroll, cloud computing and loan servicing. A SOC audit provides assurance to clients that the proper internal controls exist to address information security and compliance issues. To help demystify the process and prepare the company, Barnes Dennig has provided a list of preparation steps that can be undertaken prior to the audit.
- Document Core Practices – The type of organization and customer served will dictate which practices need to be identified and documented prior to the audit. Since a main goal of the SOC audit is to provide assurance that risk and compliance controls are functioning properly, it’s necessary to identify those which are of greatest importance to customers.
- For example, if a cloud service company is conducting a SOC audit, then it makes sense that they would test the IT security, authentication and risk management procedures. This might include password updating policies, VPN access procedures, disaster recovery plans and physical security procedures. Attention will also be paid to companywide policies that may not be directly related to the service offering. Before the audit begins, it’s essential for the company to document and identify the key processes to be tested. If you would like assistance with this phase, Barnes Dennig offers a Policies and Procedures Bolstering service that assists with documentation and identifying best practices.
- Conduct an Internal Review – This is often the most useful step a company can take when undergoing a SOC audit for the first time. Check supporting forms and documents to ensure they can be tied to a stated policy as well. If anything is outdated, make sure it’s updated and that the proper documentation, including forms, exists to support essential policies. An internal review will help catch these weaknesses before the formal audit. To assist with this process Barnes Dennig offers a Readiness Assessment. This involves drafting the controls and language necessary to complete the audit. We call this an open book test. We are able to assist with this readiness assessment until you are ready for an audit. When you are ready, we will discontinue the Readiness Phase and begin the actual audit.
- By closely reviewing the core processes and controls identified in the prior step, it will be easier to identify gaps with policies, procedures, practices, documentation and workflow. As part of the process, be sure to review employee manuals making sure they are up to date and provide specific information about policies.
- Document, Document – It’s important to note that all key controls should be documented. Not only should a company have every key process documented and offer supporting materials to ensure the facilitation, but there should be evidence that these are being followed. Although most companies know what needs to be done and how, SOC audits require written documentation to prove there is a process, that employees know when they should be followed, how the process should be implemented and offer a resource for assistance when needed.
The first time a company undergoes a SOC audit can be a challenging process. There are many steps that need to be considered and addressed, thus the more preparation that can be completed beforehand the better. If your company is considering an SOC audit or would like assistance with a readiness assessment, Barnes Dennig wants to help. For additional information, please contact us at 513-241-8313, or click here to contact us. We look forward to speaking with you soon.