As rapidly changing IT systems introduce new security concerns, System and Organization Control (SOC) 2 examinations are an increasingly important way for service organizations to address IT and operational risk as well as instill customer confidence in security, availability, processing, confidentiality, and privacy policies and practices. While these examinations can be extensive and often time consuming, there are steps your company can take to better prepare for—and get the most out of—your SOC 2 examination.
Following are some key ways your company can improve its SOC 2 examination to increase credibility, get more out of the exercise, and stay competitive.
Assessing Your Control Environment
SOC 2 examinations can help customers gain confidence in your company’s control environment as it is assessed against the American Institute of Certified Public Accountants’ (AICPA) SOC 2 criteria. The examination attests to the design and operating effectiveness of your company’s internal controls over one or more chosen categories, outlined below. The design and operating effectiveness of key internal controls are examined, and the auditor issues an opinion. This in turn offers your customers insight into the design and effectiveness of your internal controls.
At a high-level, AICPA defined categories include:
- Security: Controls over physical and logical access as well as incident handling, system monitoring, and network security
- Availability: Controls over monitoring availability of information and systems, backups and restoration testing, disaster recovery, and business continuity planning
- Processing integrity: Controls to verify the data processed is complete, valid, accurate, and timely; may be in the form of key reports
- Confidentiality: Controls protecting data designated as sensitive or confidential, which is especially relevant in multi-tenant environments
- Privacy: Controls over privacy, especially relevant for environments that deal with personally identifiable information (PII) or protected health information (PHI)
Who Needs a SOC 2 Exam?
SOC 2 examinations have become an expected standard for all service organizations that interact with, or operate as, vendors that store, process, or maintain client data. CISOs, CFOs, and auditors rely on SOC 2 reports to gain comfort and valuable insight over the internal controls of critical vendors and service providers.
Regardless of your company’s line of services—from Software as a Service (SaaS) to Intelligent Autonomous Systems (IAS)—if it has ongoing interactions with customer data or third-party providers, it likely needs an annual SOC 2 repot to remain competitive in the marketplace and to forego the numerous vendor audit and security questionnaires.
Consistent SOC 2 examinations not only help keep your company safe, but they can also help potential customers, business partners, or buyers gain comfort over the soundness of the system of internal controls. This can help your company’s credibility and competitive edge in the market and can increase consumer confidence.
Improve Your Outcome
Adequate preparation can greatly reduce associated stressors of undergoing a SOC 2 examination and improve your outcome. Preparation falls within three key steps.
1. Understand the Timeline
The timing associated with SOC 2 testing varies based on a company’s controls and preparation, as well as timing preferences based on customer demand or business cycles.
Companies should begin preparing for their SOC 2 examination with their service auditor two-to-three months before the examination fieldwork takes place. In addition, companies should be in contact with their auditor at least quarterly to discuss system changes, updates, or significant events.
Only the fieldwork portions take place onsite, and length of time for fieldwork will vary based on the selected categories and size of a company’s control set. Here’s a rough estimate of time to complete fieldwork is based on the number of controls.
- Small control set—one to two weeks
- Medium control set—two to three weeks
- Large control set—three to four weeks
2. Perform Ongoing Analysis
Last minute discoveries can derail the best-laid plans. Timing delays and control failures can often result in a SOC 2 examination taking longer than initially estimated, and may result in control failures. However, there are steps your company can take on an ongoing basis to prevent or address these potential issues.
- Monitor your internal controls on an ongoing basis. Create a team of professionals in charge of consistently monitoring controls, collecting relevant evidence, and addressing unintended changes or threats if they occur.
- Enable configuration-change notifications. In the event of a change in your company’s control environment due to an error or fraud, immediate notifications to your service auditor can help your company prevent or reduce damage.
- Apply consistent technology across all locations. Having consistent technology applied throughout your business allows different locations to exchange data and information with fewer compatibility errors or mistakes.
- Stay up-to-date with technology upgrades. Your infrastructure can become vulnerable as technology becomes outdated. It’s important to update your systems with current software upgrades and adopt new technology systems as cyberthreats evolve.
- Document system changes. With a SOC 2, evidence of controls operating during the full examination period will be expected. Upon significant system changes, updates, or entity level changes, discuss these events with your service auditor to understand the expected evidence to retain before and after the significant event.
3. Look Externally
Maintaining controls throughout the year can be challenging for all companies, but it presents particular challenges for:
- Small companies that don’t have designated compliance personnel or can’t maintain the appropriate segregation of duties
- Businesses that have recently undergone a merger or acquisition, or other material changes to the control environment
- Large businesses that have a difficult time designating professionals for their ongoing monitoring team
In these instances, companies can benefit from outsourced services. While your service auditor must remain independent in their approach, they can assist management through complementary consulting engagements. These may consist of readiness assessments in which the examiner can help identify and map the control activities to the AICPA’s prescriptive criteria. The service audit can also leverage their understanding of management’s processes and environment to assist management craft the system narrative which is typically a stumbling block for most first time examinees.
We’re Here to Help
With adequate resources and preparation, your SOC 2 examination can support your company’s reputation and help better position it for success. To learn more about how to prepare for and improve your next SOC 2 examination—or for assistance with another type of SOC report—contact your Moss Adams professional.