SOC Reports - Ask the Experts | Report Timeframe | SOC 2 Reports

Ask the Experts – Video Transcript

Robert Ramsay, Director, and Beth Germann, Manager
Barnes Dennig Ask the Experts July 2020

Beth Germann (00:00):

I’m Beth Germann, a manager here at Barnes Dennig. Today, I’m talking with SOC audit expert and practice leader, Robert Ramsay about SOC reports. Robert, what is a SOC report and how many types are there?

Robert Ramsay (00:23):

Sure. Hi, Beth. Good to see you. SOC reports are business-to-business reports, in the audit once, report many model. A company has auditors come in, test controls, and then they have a report they can give to their customers. They come in a few different varieties. SOC 1 is internal controls over financial reporting, so that applies to companies like payroll companies or third-party administrators where debits and credits are involved. Accountants love those. Then there’s a SOC 2, and it’s more data security, availability, confidentiality, kind of like an IT audit, both of which have an audit component. I’d say it’s like a half of an audit, where they’re testing and making sure the controls are working, and a disclosure component. You’re letting your customers know, your vendors, your supply chain, how you deliver the service, your people, your data, your infrastructure. That’s the disclosure component.

Beth Germann (01:21):

Okay. What’s the process look like from a company perspective?

Robert Ramsay (01:27):

Yeah. It varies depending on if it’s a recurring report or the first time, but they all include a planning phase where the teams get together and agree on the schedule, how often we want to touch base and report, and the exact type of the deliverable. How are we going to work together? That’s planning. Then we begin evidence gathering, so the auditors need copies of contracts and detailed descriptions of the environment. There’s a bit of background investigation and understanding and sharing there. Then there’s a testing phase. These are kind of audits, and so we’re testing controls. Whether it’s controls over financial reporting or data security, we’re going to ask for evidence of firewalls working and antivirus, or bank reconciliations and account reconciliations and reporting processes. Then there’s a reporting component where we’ll draft this, share it with management, make sure we got it right, make sure we all agree on the types of communication, and then the company will have a report that they can deliver to their customers as they see fit.

Beth Germann (02:33):

Okay. Now, Robert, here’s a question. How might this look during a pandemic?

Robert Ramsay (02:38):

Yeah, good question. Fortunately, our team works around the country. We have clients globally, and we’ve been doing 90 percent of this remotely already anyway. A lot of the evidence gathering and a lot of the meetings, of course, can be done like this online. During the process, we request a great deal of information, all those contracts I mentioned at the beginning and then all the evidence throughout the process, and we do that asynchronously. We have a tool where we can put the list of requirements and requests online, and then a company can upload those at their convenience asynchronously. The tool allows for distributing those to different people, whether it’s an HR person putting HR-related documents, or an IT person putting data security-related documents.

Robert Ramsay (03:23):

We can put due dates. We can dialogue about items. There’s a simple and easy reporting function that gives you a quick graph so you can know where things stand, so that’s really nice, and it of course works great working remotely. We like to visit when we can, and we love to take tours and see our clients, but if we’re unable to, we can do it like this online and tours can be done with FaceTime or video walkthroughs. So we’re doing very well, really, during the pandemic.

Beth Germann (03:52):

Okay. What would be the timeframe or the cost associated with the report?

Robert Ramsay (03:58):

Yeah. Like a lot of projects or audits, it varies greatly depending on the complexity, the number of locations, the size of the operation, that kind of thing. But there is a baseline, and for small operations that have a single location, a single primary service, they start at $20,000, I would say. They start at months, not weeks, and months, not years. So, a company in a hurry might be able to do this in a month or two, and a company that’s not in a hurry could take their time and spread it out. Typically, it’s three or four months with a lot of change in the middle.

Beth Germann (04:38):

Okay. Robert, I want to thank you for your time, sharing some more about the SOC reports with me. I know there’s a lot of resources available on barnesdennig.com, so I would encourage people to reach out there if they’re interested.

Robert Ramsay (04:53):

Absolutely. Thanks a lot, Beth. And yeah, getting questions online is a great way for us to dialogue and help people understand. It can be funny. Accountants have their SOC 1s and SOC 2s and Type 1s and Type 2s, so we welcome those questions whenever.

AICPA SOC logo

Getting requests for your SOC report?

Talk to one of our top SOC reporting pros today.

Apply Now