Linford & Company specializes in helping service organizations go through their System and Organization Controls (SOC) review the first time. Many small- and medium-sized service organizations that approach us at Linford & Company have been asked by one or more of their clients to provide a SOC 1 (f. SSAE 16): AT 801, Reporting on Controls at a Service Organization until May 1, 2017 and then SSAE No. 18: AT-C320) or SOC 2 (AT 101 Attestation Engagement) report, and have no idea what these reports are or what is involved to get the report. We want our clients to be successful, so we provide a readiness assessment for new clients the first year at no additional cost to their SOC 1 or SOC 2 engagement.
What is a readiness assessment? Readiness assessments are designed to assist a service organization in assessing their preparedness for a SOC engagement. Regardless of whether a company is getting a SOC 1 or a SOC 2, there are processes that need to be walked through and documented, and controls that need to be identified. Instead of initially looking at these processes and controls during the period under review (for a Type II; design and operation) or as of the date of the report (Type I; design only), we offer a readiness assessment to walk through and document the processes and assist in identifying controls. As part of this process we also identify any weaknesses that could preclude having an unqualified opinion in the report, or have findings show up in the report in the testing section.
We perform a readiness assessment for a client and at the end of the readiness assessment we issue a management letter to the client that lists out the weaknesses that have been identified and recommendations to implement prior to the testing period (for a Type II; design and operation) or point in time of the review (for a Type I; design only). This allows a client to fix any identified issues before the actual SOC engagement begins. We cannot fix the identified issues ourselves because we cannot audit our own work, but we do provide detailed recommendations for getting issues resolved. For example, a big part of SOC 2 requirements are documented policies and procedures, and a readiness assessment assists in identifying the areas that need to be included in policies and procedures. Other remediation could include redesign of processes, implementation of training programs and documenting evidence that controls exist and are operating.
A readiness assessment can be most successful when planned out in plenty of time before the period under review or point in time of when the audit is going to start. The key is for an organization or have any issues identified and give themselves enough time to get the issues resolved. At Linford & Company we have found that for many new clients, especially if they have not been through an audit before, they can have a more successful first year SOC engagement when we perform a readiness assessment first.