SOC Preparation Checklist

SOC 1 & SOC 2 Preparation Checklist    

We’ve been hearing from various people in the marketplace that they were interested in learning about some steps, at a high level, that they need to take to get off the ground and on their way to completing their SOC 1/2 Report Type I or Type II.  So, we will give you all a breakdown of some of the things organizations should be doing now, and some things to think about down the line as you progress.

This SOC Reporting Checklist is geared towards service organizations whom have never undergone a SAS 70, SSAE 16, and SSAE 18, etc., in the past and will be taking up the task this coming year.  A more detailed version geared towards companies that have some experience being audited will be coming down the line.

• Do your research.
• You have already come across our site, so you have begun the process of researching SSAE 16 and the responsibilities that come with performing one. 
• Find a few CPA firms who have issued SOC Reports annually.
• You will want to research a number of firms that could perform and sign off on your SOC Report, which, only CPA firms are permitted to do. This process should be handled with the utmost care as you are putting a lot of trust into the company you choose, they can make or break you.

Some things to consider:

     1.  The size of your company – You may not be able to afford a large CPA firm.

     2. The clientele you are attracting – Some companies will not feel secure with the quality of your SSAE 18 if it was not performed by a qualified CPA firm. 

    3. Total SOC 1 or SOC 2 reports performed – You do not want to use a company who has never done such work in the past, unless they are comprised of former employees of another quality firm and have decided to take off on their own.

    4. The methodology employed – You will want to quiz the companies and gain comfort around their methods and ensure you are comfortable with their responses and agree based upon your research.

     5.  Narrow your search.

• Based upon how you felt about each company, the people, the methodology, their previous experience, and of course, cost you should narrow down your search to the top 2 companies.
• Pricing for a SOC report can vary greatly depending upon the company performing the work, the size of your organization, and audit scope. On average, company’s should be expected to spend between $15,000 - $85,000 for a Type II audit.
• You should look for a fixed rate fee so there is no potential for them to raise rates on you as the project progresses.

     6.  Define the scope.

• Once you have engaged a firm to perform the work, make sure you define the scope of the audit early on in the process. Not doing so could lead to excessive delays and potential cost overruns.

     7.  Define your control objectives and activities.

• In conjunction with your CPA firm, define the controls and test steps to be tested and make sure that they have been reviewed by process owners and any of the stakeholders at the CPA firm who may be reviewing and/or signing off on the report to ensure everyone is in agreement.

     8.  Perform a Readiness Assessment.

• You can either choose to perform a readiness assessment on your own, based upon the test steps already defined, or, if you do not have the capacity or ability to do so internally, you can look towards either the firm performing your review or another firm who is skilled in preparing companies for audits.

These steps laid out here will set you on your way to getting your SSAE 16 started up and going and should help to guide you through the toughest parts of the process. Once you have completed all of the steps we have laid out, you should be able to rely on the knowledge of your CPA firm to take you through the finish line.

This information is also consistent with SSAE 18 which is effective as of May 1, 2017.

SSAE 18  Preparation Tips

This tip is focused on designing controls that reflect the processes currently implemented.  Nonexistent controls may create delays and exceptions once testing for the attestation engagement begins. 

How can the worst-case scenario be prevented? Begin by conducting early information gathering between various process owners such as auditors, department leads, associates performing the function, and any other personnel responsible for having a role in the testing or modifying of the control.  After the appropriate information is gathered from these meetings, Management should discuss what they determined the control to be, and how it should operate.   After the control is finalized, the information should be reviewed by the auditors. The employees performing the tasks should also be consulted in order to verify that the control accurately reflects the current process.  The identification of the control to be tested, is an important process for the attestation engagement. We strongly suggest frequent communication between the auditor and client throughout the process, to ensure that potential issues are addressed during each phase of the project.   

If the control is not 100% agreed upon prior to testing and a deviation is noted, it will be difficult to decide between failing the control or adjusting the control, to accurately reflect the process.   It is ill-advised to modify a control after testing begins. Delays caused by adjusting the control, after testing has begun, may mean additional costs to the client. We at HWNS, are here to ensure that your engagement is as successful as possible.