How do you improve and professionalize a SOC report?
Systems and Controls – SOC reporting is all about controls. An ISAE 3402 | SOC 1 reporting for financial outsourcing, such as asset management, SaaS-providers (financial software), datacenters (storage of financial data). ISAE 3000 | SOC 2 reporting is focused at a broader IT scope, for user organizations with additional requirements on security, availability, processing integrity, confidentiality and privacy. These criteria are known as; Trust service Criteria or Trust Service Principles. Our consultants advice many boards of corporates and SME’s on achieving the ultimate goal, a professional, unqualified SOC Report. What are the necessary steps to achieve this?
The method
The first steps are; understanding the criteria, scoping the audit and following a structured approach for the implementation. In this article we will outline; how to? Receiving an unqualified report is also dependent on many factors and requires a lot of discipline from your employees following procedures and performing controls, but effective structuring and planning can help a lot!
Criteria
The criteria for an ISAE 3402 | SOC 1 report are mainly dependent of the reporting procedures of the user organization, the SLA agreement and other user organization requirements. The criteria for an ISAE 3000 | SOC 2 report are developed by the American Institute of Certified Public Accountants (AICPA). The AICPA has developed Trust Services Criteria which are more descriptive and cover the control environment, risk management, communication and detailed controls, as well as detailed technical criteria.
In other words, the Trust Service Criteria describe broadly what should be done, but organizations are free to develop controls; the how. Auditors who SOC audits are verifying, observing and reperforming organization’s controls to determine whether controls are well-designed, controls exist and are operating effectively to achieve the desired outcome. The first step in the SOC implementation process is defining the audit scope.
Audit scope
Acquiring an overview of the environment and systems is critical to defining the scope. That’s why the Risklane SOC implementation projects start with a diligent analysis of the organization, the infrastructure, services delivered and processes. Without this analysis the quality of the SOC report will be suboptimal, which might ultimately lead to a qualified opinion or at least an ineffective ISAE 3402 | SOC 1 or ISAE 3000 | SOC 2 audit. For an ISAE 3000 | SOC 2 report, the next step is understanding the trust service criteria.
Understanding Trust Service Criteria
The first step in understanding the criteria is acquiring these from the AICPA website and studying these in relation to the defined scope. The Trust Service Criteria are in a sizable document, and the specific language can be a bit difficult to understand at times but investing your time in studying these will pay-off in a later stage of the audit. In the Trust Service Criteria, examples for each criterion are included of the risks and controls that typically mitigate these risks. After understanding the criteria, controls should be mapped to risk and vise versa.
Mapping risks and controls
The most common mistakes we identify in existing frameworks are non-matching or redundant controls. Nonmatching controls are controls that do not effectively cover a defined risk or risks for which controls are absent (control mismatch). Redundant controls are defined as controls that are covered by other controls or which do not cover a risk at all. These redundant controls are basically existent, without a real purpose. After this analysis and matching, the next step is creating a Control Matrix
Creating a Control Matrix
Documenting control objectives and related controls in a structured Control Matrix will be beneficial for more than one reason; it will become the source for how risk-controls are structured and implemented and will become an important reference document for your SOC auditors.
For example, Trust Services Criteria related to monitoring controls are matched to a list of confirming controls, which show how these controls mitigate the relevant risk, controls are well designed and are operating effectively. In our experience these should be as detailed as possible; who performs the control? What information is used? What is the outcome? How is this documented? Answering these questions will be very helpful for your auditor to validate that stated controls are in place, designed to meet control objectives and are effective in doing so. In future articles we will outline more in-depth on how to structure your control framework. After this phase, the readiness assessment and remediation; the audit can be prepared.
Audit preparation
The prior described process might seem a bit daunting, don’t panic. We can always support you in the process. We can help you to scope, understand the Trust Service Criteria and advice you on how to effectively align controls to risks and remove redundant controls. Of course, you can also acquire a ControlReports license for ISAE 3402 | SOC 1 implementation or ISAE 3000 | SOC 2 implementation, which will provide a well-defined approach and effective workflow to scope, understand and define the controls. Both, ultimately resulting in a SOC reporting in accordance with our industry best practice, based on years of experience.
Please contact Koen van der Aa (+31) 30 2800888. He is more than pleased to help you start up the process.