Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships

Preparing Your Organization for a SOC 2 Examination

SOC Examinations | Audit Readiness

Here are five steps to help successfully prepare:

1. Validate the Nature of the Request.

Does your client base understand the various SOC reporting options and what they are asking of your organization from a compliance reporting perspective? Is there a connection to internal controls over financial reporting (ICFR) of the services that you provide to your clients, or are you looking at general controls of a system that are relevant to security, availability, processing integrity, confidentiality, and/or privacy? SOC 1 can oftentimes be misused by the general public as a generic reference to third party examinations. There is misconception in the marketplace; help prevent it.

2. Understand the Trust Service Principles.

Experience has shown that the best way to reach an effective solution is by considering the needs of customers and other interested third parties. First, communicating and determining the information the user organization will want, need, and expect should help determine the best trust service principles (TSP) to select. Also, service organizations must look at their control environment and identify which TSPs are applicable based on the criteria. Oftentimes an organization or the interested third party will request specific TSPs, however, after reviewing the criteria, the organization’s business processes, and the control environment, the TSP(s) would not even be applicable in the environment. For example, a cloud service provider most likely wouldn’t need to focus on processing integrity, but it is vital for a payroll provider.

3. Determine Preparedness.

Once you understand the different TSP’s, consider your options and preparedness prior to determining how to proceed. If the environment to be examined is relatively new and has never been through an audit, it might be best to start with a readiness assessment and / or Type 1 examination, and then move to a Type 2 examination. Be mindful of the review date and review period as they relate to Type 1 and Type 2, respectively.

4. Identify Key Personnel within the Organization.

This person(s) will be responsible for the overall audit effort. Determine whether your organization has the bandwidth necessary to provide the time and resources required of the examination. Although not mandatory, oftentimes it is helpful to assign a primary internal point person with audit experience to the engagement.

5. Contract and Start Planning.

It is necessary to perform due diligence when selecting your service auditor. Speak with at least three different firms. Confirm that the firms have the proper licensing and credentials to operate in the state(s) that your services are located, have skilled and credentialed personnel, and are a good fit overall with your organization. Remember, the least costly firm is not always the best option.

Ask.jpg

Some questions to ask:

  • How many SOC 2 engagements have you performed as a company?
  • How many SOC 2 engagements have been performed for other companies in your industry?
  • How much experience do your personnel have in performing SOC 2 engagements?
  • How do you provide pricing?

A properly planned engagement with an experienced audit firm will help your SOC 2 examination be successful. Good luck!

 

About STEPHEN HALBROOK

Stephen Halbrook is a Managing Principal at Schellman. He is an experienced and proven federal practice leader performing service delivery management across service lines including FedRAMP, NIST, SOC, PCI DSS and ISO. Stephen also helps assist large and complex organizations that have multiple compliances needs helping them strategically align their efforts to maximize cost and efficiencies. He has more than 15 years of experience in the assessment industry and started his career working in Deloitte’s Advisory practice.