SOC 2 Readiness Assessment & Remediation – Our Approach
We’re happy to share our SOC 2 Readiness Assessment methods with prospective clients. SOC is quite new, and some clients need help through the process. What matters isn’t the exact model, it’s making informed choices and delivering effectively.
Part 1: Getting Started
Step 1: Ensure SOC 2 Applies
Is SOC right for your business?
Are you a Service Organization (providing outsourced or Cloud services)?
Is Trust a central part of what you offer clients?
Do your clients care about the security, confidentiality or privacy of their data, how available your services are, and how well you process their information?
If yes, then SOC 2 and possibly SOC 3 reports may apply.
If you are a Service Organization where the way you handle financial information may affect your Client’s financial reporting, then SOC 1 (formerly SAS 70 financial-based audit) may apply.
Step 2: Select and Liaise with Auditor
SOC 2 interpretation is still an issue
SOC 2 and SOC 3 implementation has some fuzzy areas where you need to be on the same page as your auditor:
- justifiable boundaries for the system being reviewed
- clarity of boundaries for Cloud services
- which Criteria under Principles you are trying to meet can be ignored given the nature of your business
- what minimum period of controls operating (or being designed) they require for an audit
- how you are going to manage controls at any organizations you outsource to
- how Agile and DevOps IT shops can meet change management requirements
- what happens if auditors notice breaches under Principles you aren’t trying to meet.
If you talk to an auditor upfront, they’ll try and sell you readiness as well as audit. If you’re a big shop, that can be tempting. If you’re small, it’s way too expensive and they won’t get as hands-on as a process consultancy.
Step 3: Choose SOC Elements
Type, System, Principles and Criteria
Before you start you need to identify the fundamental elements of what you are looking at for Service Organization Controls.
- What Report Type do you want?
Type 1 – report on system description and design of controls operating at a point in time
Type 2 – report on system description, design and operating effectiveness of controls over a period (6mths)
- What is the System you want to look at?
A System is organized to achieve a specific business objective and has components Infrastructure, Software, People, Procedures and Data.
- Which Principles apply?
You can choose all 5, multiple or only one of the Trust Service Principles.
FYI: Very few organizations have passed in all 5 Principles.
- Which Criteria apply?
You must report on all Criteria under the chosen Principles. You can, however, explain why you don’t have a control for a Criterion if it doesn’t apply to the services you provide.
Part 2: Building Your Controls
Step 4: List Management Commitments
Customer standards to meet
Management commitments are set out in written contracts, service level agreements and public statements and policies. These set standards for the controls under the various Principles.
Under SOC management must have a list of their commitments and must make sure their System is designed and operating to meet them.
Typical examples include contracted or claimed uptime availability or data security.
Step 5: Evaluate Controls and Gaps
Present, well-designed and effective?
Gap analysis requires close review of your chosen System against the Principles and Criteria you have chosen.
If your business has a good level of service and process maturity, this can be a relatively quick project.
If however, policy, procedure, risk management, security and operations do not have mature processes (and documentation), not only will there be gaps but identifying them will take longer.
We deliver both detailed Criteria-level gap analysis and summarised management reports on areas of weakness.
Step 6: Remediate Gaps
Build controls and process
Where there are gaps in the controls over the System, if you want an unqualified SOC 2 report, you have to remediate. This can involve:
- process re-design, implementation, training and documenting.
This can be in any area from recruitment to operations and infrastructure to development or leadership team processes.
- integration with enterprise risk management structures
- working closely with Security and Operations personnel
- integration with service delivery models
- innovative and automated solutions for Agile and DevOps shops.
Step 7: Develop System Description
System, Criteria, Controls and Management Assertions
The System Description is what you provide to your auditor, and forms the basis of any audit. The full list of what should be in it is set out in 4 pages of AICPA Information for Management of a Service Organization 2011. It includes:
- a narrative explaining your services, and the components and boundaries of the System
- a completed Trust Services Criteria matrix for the Principles being addressed
- explanations of why any relevant Criteria aren’t addressed by a control and whether the system has changed over the audit period
- all necessary information about sub-service organizations (people you outsource to)
- specific, comprehensive privacy information for organizations addressing the Privacy principle.
You also have to provide a written Management Assertion about the System Description, the design (and operating effectiveness for Type 2 reports) of the controls, and the monitoring that is basis for your assertion.
Part 3: Driving Successful Audit
Step 8: Run and Maintain Processes
Build an effective audit period
Once you have a designed System you must have an operating period. How long? Check with your auditor, but plan for 3-6 months. If you’re going for Type 2 (design and effectiveness) your processes have to be operating, and auditors test and report on them.
US auditors have reported doing Type 2 SOC 2 audits on a period as short as 2 months, and then following up inside 12 months.
Even if you are only going for Type 1 (design) audit, your processes still have to be implemented. This can be a trap for new players. Refer to para 3.13 of the AICPA Guide: Reporting on Controls for a Service Organization (for sale).
Step 9: Prepare and Undergo Audit
Walkthroughs before any final audit
After any gap remediation, walkthroughs of the relevant processes and documents are essential before facing an audit. If you have an internal audit function (and you should), they can do this. If not, a combined client-consulting team can report to your SOC project management.
Your risk, assurance or compliance manager will be responsible for managing the audit relationship. We’re happy to help out, but since we may have a stake in any process changes, your audit function must run the show.
Where there may be qualifications (we’d hope there wouldn’t be), we can remediate and re-document.
Step 10: Distribute Reports
Specific Uses SOC 2 and SOC 3
SOC 2 and SOC 3 reports have different structures and intended audiences, even though they rely on substantially the same system structures and audit.
Once you have your SOC 2 report you can distribute direct to stakeholders like internal management, risk management of user organizations, business partners and those who understand internal control concepts.
SOC 3 report is more general in nature, for people who aren’t as “internal-control friendly”. It is briefer and less detailed, and you can put it on your website or mail it to interested parties.