Linford & Company specializes in helping service organizations go through their System and Organization Controls (SOC) review the first time. Many small- and medium-sized service organizations that approach us at Linford & Company have been asked by one or more of their clients or prospects to provide a SOC 1 or SOC 2 and have no idea what these reports are or what is involved to get the report. We want our clients to be successful, so we provide a readiness assessment for new clients the first year.
What is a SOC 1 and SOC 2 examination?
- SOC 1 (previously known as SAS 70 and/or SSAE 16): A SOC 1 examination addresses the needs of a user entities’ auditors or the user entities’ management as they examine the impact a service organization’s controls have on a user entity’s financial statement assertions. A SOC 1 is performed under SSAE 18, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (AICPA, Attestation Standards, AT-C section 320)
- SOC 2: A SOC 2 report can meet a wider range of users who require information and assurance about controls designed and operating at a service organization. A SOC 2 examination can include controls to meet the criteria of Security (common), Availability, Confidentiality, Privacy, or Processing Integrity. A SOC 2 is performed under SSAE 18, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (AICPA, Attestation Standards, AT-C sections 105 and 205).
How Do You Become Audit Ready?
Once a service organization has engaged an auditor to perform a SOC examination, how do they prepare for the audit? Many service organizations that have never been through a SOC examination struggle with this. How do they know what is included in the examination? How do they know if they are ready? The easiest way to prepare for a SOC examination is to have a readiness assessment completed.
What is a SOC Readiness Assessment?
Readiness assessments are designed to assist a service organization in assessing its preparedness for a SOC engagement. Regardless of whether a company is getting a SOC 1 or a SOC 2, there are processes that need to be walked through and documented, and controls that need to be identified. Instead of initially looking at these processes and controls during the period under review (for a Type II; design and operation) or as of the date of the report (Type I; design only), a readiness assessment takes a look before this time to walk through and document the processes a service organization has in place and help identify key controls to be included in the examination. This process can then identify any weaknesses that could preclude having an unqualified opinion in the SOC examination or have findings show up in the report in the testing section.
At Linford & Company, at the end of a readiness assessment, we issue the service organization a management letter that lists the weaknesses that have been identified and our recommendations to implements prior to the testing period (for a Type II; design and operation) or point in time (for a Type I; design only). This allows a client to fix any identified issues before the actual SOC examination begins. The auditor performing the SOC examination cannot fix the identified issues due to independence and not being able to audit their own work.
But at Linford & Company, we do provide detailed recommendations for getting issues resolved. For example, a big part of SOC 2 requirements are documented policies and procedures, and a readiness assessment assists in identifying the areas that need to be included in policies and procedures. Other remediation could include a redesign of processes, implementation of training programs, and documenting evidence that controls exist and are operating.
What is Included in a SOC 1 Readiness Assessment?
The service organization is responsible for defining the control objectives that support their services provided to clients (Linford & Company can assist with this definition). A SOC 1 readiness assessment will walk through the key business processes supporting the services provided by the service organization, in addition to the IT general controls supporting the services. The readiness assessment will assist in identifying any weaknesses in the processes or controls supporting the control objectives. A management letter will be issued at the end of the readiness assessment.
What is Included in a SOC 2 Readiness Assessment?
The service organization will determine which criteria will be included in the SOC 2 examination. Just like a SOC 1 readiness assessment, A SOC 2 readiness assessment will walk through the processes and IT general controls supporting the service organizations provided services, identifying controls that will meet the selected criteria. A management letter will be issued at the end of the readiness assessment.
When Should a Readiness Assessment be Performed?
A readiness assessment can be most successful when planned out in plenty of time before the period under review or point in time of when the audit is going to start. The key is for a service organization to have any issues identified and give themselves enough time to get the issues resolved. If a service organization knows a SOC examination is going to be required by a client or prospect, it is best to start planning ahead so there is enough time for a readiness assessment, which will set up the service organization for a successful first SOC examination.
Who Can Perform a Readiness Assessment?
While a SOC examination is required to be completed by a Certified Public Accounting (CPA) firm, there is no requirement that a readiness assessment has to be by a CPA firm. While a service organization can have a different firm perform a readiness assessment and the SOC examination, we have found over the years that some of our most successful SOC examinations follow a readiness assessment performed by us. The reason for this is that we are then already familiar with the controls and processes when performing the SOC examination because we helped with the identification during the readiness assessment. Additionally, because we have found it so successful to perform the readiness assessment ourselves, we will include the readiness assessment to our new clients at no additional charge.
At Linford & Company we have found that for many new clients, especially if they have not been through an audit before, they can have a more successful first-year SOC engagement when we perform a readiness assessment first.
This article was originally published on 11/18/2015 and was updated on 4/14/2021.
Nicole Hemmer started her career in 2000. She is the co-founder of Linford & Co., LLP. Prior to Linford & Co., Nicole worked for Ernst & Young in Indianapolis, Chicago, and Denver. She specializes in SOC examinations and royalty audits and loves the travel and challenge that comes with clients across all industries. Nicole loves working with her clients to help them through examinations for the first time and then working together closely after that to have successful audits.