Frequently Asked Questions Before a SOC Audit
Articles by: Richey May, Jul 15, 2020
The SOC Audit process is new for a lot of company leaders. With more financial services companies taking 3rd party vendor security more seriously, service providers may find themselves being asked for a SOC report more often. You will be expected to assure your clients of your process, procedures and cybersecurity in addition to providing high quality products and services.
We have performed SOC Audits for service providers in the mortgage and financial services industry for years. The following are common questions we get at the start of a SOC engagement.
Why do I need a SOC Report?
- YOUR CUSTOMERS EXPECT IT: A SOC Report demonstrates to your customers that you care about protecting their data and the accuracy of their financial records. With lenders facing increased threats from data breaches, and costs from cyber-attacks mounting, vendors can expect increased scrutiny around their own security. Proving you have the right processes and controls in place to safeguard and manage your customer’s information – and respond if a threat does occur – a SOC report puts you at a competitive advantage.
- UNDERSTAND YOUR NEEDS AND CAPABILITIES: The threat landscape for today’s businesses is constantly changing. Knowing your ability to protect financial or customer information, detect and respond to threats, and reduce risk are all key to setting a business strategy. Your understanding of your risks colors every part of your business, from hiring for key positions to revising your annual financial goals to building a business continuity plan with confidence.
- INTERNALLY, IT’S NEEDED: Because a SOC Audit is completed by a third-party, it can be a valuable chance to get a fresh perspective on your business processes. Your auditor will delve deeply into your operations and, with the right expertise, can uncover opportunities to strengthen your control environment across the entire company.
How do I choose the right framework?
Your auditor should help you understand whether you need a SOC 1, SOC 1, SOC 2, SOC 3, or SOC for Cybersecurity. In addition, they should help you determine whether a Type 1 report (test of control design), or Type 2 report (test of operating effectiveness) is necessary. Typically, a Type 1 report is conducted in year 1 and Type 2 reports each year thereafter.
You can refer to this chart or the AICPA website for the basics, but be sure to work with you auditor to set the right scope.
Do you have to come on site for the audit?
We can usually do audits remotely. Occasionally, regulatory requirements or company procedures mean we must review physical files, but this is rare. We have successfully continued engagements through COVID-19 utilizing remote work software and tools.
How long does it take?
SOC engagements generally last about 3 years. Over the course of those 3 years, various areas will be evaluated according to your audit plan and scope.
Will the audit impede operations?
Usually not. We will need to interview stakeholders and process owners, but we can work with those individuals or teams to accommodate their schedule. SOC engagements are ongoing, meaning we are invested in our relationship with the client. Generally, many company leaders find the audit process to be low-impact.