How To Prepare for a SOC Audit
If your company is considering undergoing a SOC (Service Organization Controls) audit, you may be wondering how to prepare for such an audit. Whether it is a SOC 1 (SSAE 16), SOC 2 or SOC 3 audit, there is information which you can gather in advance to facilitate the audit process. Prior to coming onsite, your auditor will typically request documentation, such as your company’s policies and procedures (including formal security policy and change management policy), organizational chart, company history, marketing material and biographies/profiles of management. A SOC audit may be performed without all of the documentation above.
For example, if your company does not have an organizational chart, then a list of employees and their titles/job descriptions would suffice. Keep in mind that a seasoned audit firm will help you create the documentation that is lacking by providing templates. Your auditor will also want you to provide a description your company’s services and key applications or operating systems used by your company (SAP, CITRIX, FACETS, CACHE, etc.)
It will help your auditor to know if your company has ever had an independent review conducted by a third party, and if your company is subject to any regulatory standards, such as HIPAA, GLBA, PCI-DSS, or HITRUST. The auditor may ask if your company has adopted any governance framework, such as COBIT, ISO 17999, ISIL, etc. Other relevant questions your auditor may ask are:
- Do you own your own data center, or is it hosted by a third party?
- Does your company engage in electronic commerce?
- Is your software developed in-house or through a third party?
- Do you outsource any significant IT processes?
- How many remote locations will be included in the audit?
One of the key ingredients to a successful audit engagement is adequate participation and input from the company undergoing the audit. To that end, your company should allocate a cross-functional team to facilitate the audit engagement, including a single primary point of contact. The team would be comprised of one representative from key functional areas included in the SOC audit, as deemed applicable and appropriate by the company’s management. This team would be responsible for participating in routine status meetings in conjunction with the engagement team to assess how well the project is progressing, and to discuss potential challenges. More importantly, as control weaknesses / deficiencies are identified by the engagement teams, this will afford management the opportunity to perform follow-up activity. Please note that the creation of such a team is a recommendation. A successful SOC audit can be completed without the creation of a team, and can just as easily be completed by allocating an individual to help steer the audit process.
Once the necessary information has been gathered, and a team or individual has been selected, the next step will be to collaboratively identify the objectives and control activities which will comprise the scope of the audit, and to establish a project plan and timeline with your auditor. In the onsite portion of the audit, the auditor will confirm the design effectiveness / operating effectiveness of existing controls using programs developed in accordance with standard audit practices utilizing one or more of the following audit techniques:
Inquiry – A request for information (either written or verbal) may be made by the auditor either to the client or a third party.
Observation – Observation by the auditor of a procedure being performed, usually by an employee of the client entity, to gather evidence that a particular control procedure is operating in the manner planned (i.e., as the procedure was designed to be performed).
Inspection – Inspection of documentary evidence obtained from the client (such as a procedures manual, a copy of a sales invoice, etc.) or independently of the client (such as relevant industry and financial publications, suppliers’ invoices, etc.) to ensure that the control was performed in the manner planned and continuously throughout the period of intended reliance.
Re-performance – The individual performs the procedure as it was designed to be performed (i.e., in accordance with the client’s manual of procedures). Re-performance can provide evidence that the theoretical design of the control is effective (i.e., that the control is capable of being performed in the manner in which it was intended to be performed).
As an experienced auditor, I.S. Partners, LLC will provide consistent engagement management and staff personnel throughout the audit process, and will provide feedback and recommendations for items identified requiring remediation. In short, we provide “Audits Without Anxiety!” Call us at 215-675-1400 or request a quote!