SOC Audits: What To Expect
Articles by: Richey May, Jun 09, 2020
If your company is pursuing a SOC Audit, you might not know what to expect from the process. Even if you have completed the process before, you may have had a poor experience, you might still be wondering what’s reasonable to expect from your auditor.
Since the SOC process is so in-depth, communication is key for leaders to feel comfortable with the process. If you’re embarking on the process of getting a SOC Audit started, here is a review of the process to help you understand what it will be like.
SET THE SCOPE
Our team starts by helping your leadership decide which is the correct SOC Framework to use for your company (see the table below – different SOC types serve different purposes). We will assist you in evaluating what your clients are likely to require and your internal needs based on a thorough question and answer process.
Before the real audit begins, we complete a readiness assessment to evaluate what controls and processes you already have in place, and whether they are suitably designed to achieve your objectives. We use this time to refine our testing methods and to identify control gaps that need remediation.
After the readiness assessment, we will deliver immediate recommendations for changes to make internally before the official observation period for the SOC Audit
REQUEST OF DOCUMENTS
After the remediation, we will begin the official audit by requesting documents applicable to your SOC Type and identified scope.
TESTING & OBSERVATION
Our team will perform walkthroughs of your processes, and detailed testing of controls through observation, inquiry, and inspection of supporting documentation..
Our team will take the time to discuss any potential testing exceptions with you and explore alternative forms of evidence for any transactions that deviate from normal processes. We will work with you to expand sample sizes and identify mitigating controls where we can.
After a thorough internal quality review, we will issue the report with our recommendations for remediation and process improvements.
After your audit, we can help you understand your report in detail. While we can’t execute our own recommendations, due to AICPA independence rules, we can help you find independent vendors to assist you as needed.
As more of your client expect a SOC report for their own security and controls, you’ll want to make sure you have a partner in the process who keeps you informed and understands your industry. Contact us to learn more and get started today!