SOC Audit Examination Overview
Our approach to SOC audits, summarized below, ensures an efficient, minimally invasive engagement with regular communication throughout the process. We guarantee each of our our clients will work with highly-skilled professionals whose knowledge spans multiple technical disciplines.
- Scope
During joint discussions with management, we determine which people, processes, and technologies relate to the services provided to user organizations. - Prepare
After we obtain the signed agreement, we prepare an initial request list and an illustrative Risk and Controls Matrix (RCM).
- Plan
We then plan our interview schedule for the onsite fieldwork.
- Arrive
We arrive on-site, typically a Monday morning, and start conducting interviews based on the interview schedule.
- Walkthrough
We perform the interviews and conduct walkthroughs of the processes and controls. We obtain documentary evidence to support our audit procedures.
- Readiness Assessment
Many first year examinations include a readiness assessment wherein we conduct certain examination procedures and communicate to management any internal control weaknesses.
- Write Up
We write up the description of services and the testing performed.
- SOC Report
We issue the SOC report.
- Engagement Timing
We typically work backwards from when the client (i.e., service organization) would like the audit report in their hands to share with their user organizations. This almost always drives the timing of our work.
- Duration
This is highly dependent on the scope of the examination and may result in two to five (or more) auditors being onsite for a period of one to several weeks. Typically, more time is spent in the first year of an examination than in subsequent years. Moreover, first year examinations may include two or more site visits. One site visit related to the readiness assessment, another being related to the actual examination.
Audit Methodology
Our audit methodology is divided into four distinct phases and includes proactive communication throughout the audit process, rather than delivering requests for corrections at the end of the reporting period. This proven methodology streamlines the audit process, resulting in minimal business interruption and full compliance with the audit guidance and related interpretations.
- Plan the Audit: During Phase 1, we gain a clear understanding of the information technology environment, information systems, risks, controls, and management expectations.
- Walkthrough and Evaluate the Design of Controls: During Phase 2, we complete the procedures that provide the basis for our opinion on the suitability of the design of key controls. During this phase, we will often draft the report and communicate it with management.
- Test Operating Effectiveness of Controls: During Phase 3, we conduct tests of the operating effectiveness of key controls (in accordance with the procedures specified in the draft report) and gather sufficient audit evidence for our opinion.
- Report the Results: During Phase 4, we hold discussions with management and appropriate shareholders to ensure stakeholders are aware of the examination results, and we deliver the final report along with a formal management communication.
Plan the Audit: During Phase 1, we gain a clear understanding of the information technology environment, information systems, risks, controls, and management expectations.
Walkthrough and Evaluate the Design of Controls: During Phase 2, we complete the procedures that provide the basis for our opinion on the suitability of the design of key controls. During this phase, we will often draft the report and communicate it with management.
Test Operating Effectiveness of Controls: During Phase 3, we conduct tests of the operating effectiveness of key controls (in accordance with the procedures specified in the draft report) and gather sufficient audit evidence for our opinion.
Report the Results: During Phase 4, we hold discussions with management and appropriate shareholders to ensure stakeholders are aware of the examination results, and we deliver the final report along with a formal management communication.