Many organizations choose to complete a readiness assessment prior to their System and Organization Controls (SOC) examination. The readiness period of your SOC audit prepares your organization’s policies and procedures so your assessment runs smoothly. Think of it like food preparation—you gather and organize your ingredients, cooking equipment, and recipes beforehand so when the time comes to cook, you’re ready to make the best meal possible.
This blog is the first installment of a two-part series on what to expect from each stage of the SOC audit. Within this series, we’ll outline the two phases of BARR’s SOC engagement process—1.) the readiness assessment and 2.) examination reporting. And we’ll detail what your organization can expect during each step of the way.
Currently, BARR Advisory offers SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity examinations. As more organizations prepare for the implementation of SOC audits into their security and compliance strategy, we aim to simplify the process.
Senior Consultant, Daniel Flores Herrera said, “What makes BARR stand out is that we live our core value of simplicity. We understand that going through the auditing process, especially if it is your first time, can be intimidating. BARR makes the process easy for our clients by leveraging all the resources available to us as a remote company.”
Let’s take a look at what the readiness phase of your audit journey will look like at BARR.
Choosing Your Path: Readiness Assessment Versus Automation
When preparing for your audit, there are two options you can choose prior to examination reporting:
- Readiness Assessment: Plan and conduct the preparation work manually. This typically consists of interviews, a deep dive into your cybersecurity processes, and a gathering of materials that showcase how your company meets your security controls.
- Automation Platform: Use a third-party automation platform to help streamline the process of documenting your policies and procedures. BARR partners with top automation companies and can connect you with the platform best suited for your organization.
With either option, both you and BARR are responsible for providing specific information throughout your SOC audit:
- What you provide:
- Complete your system description. The system description provides an overview of your company’s operations and control environment for the in-scope system.
- Review control wording. Controls are documented processes in your environment relevant to your in scope system that help achieve your in scope trust service criteria. BARR will provide you with template controls to test during the engagement. It is important you review the controls and modify them to reflect your current control environment.
- Provide information requests. BARR will request documentation, and information requests must be submitted within predetermined time frames that the engagement team establishes.
- What BARR provides:
- Support and knowledge. We are here for you during the engagement kickoff meeting and to provide you with the support and knowledge you need to complete your engagement.
- Solutions to information requests. We will review information requests as they come in and hold walkthrough meetings with you to gain an understanding of your control environment, ensuring that we obtain the correct documentation to evidence your compliance with applicable trust services criteria. We will report any issues we identify to you immediately and work with you to come up with possible solutions.
- Draft report. At the conclusion of our fieldwork, we will issue a draft report for your team to review and provide feedback.
What to Expect from Readiness Assessment Meetings
If you choose the option of a readiness assessment, BARR will connect with you on a 30-minute call to determine your needs. We will then send a proposal to confirm this understanding which will be sent within one day after the call.
BARR will provide three key deliverables to assess the readiness of your audit: System Scope, Prioritization of Gaps, and Key Controls. This is accomplished as follows:
- Readiness Meeting 1: You will be introduced to your dedicated BARR engagement manager to schedule the first readiness meeting. After meeting the team and confirming expectations, you can expect to provide a demo of the target system.
- Readiness Meeting 2: Your engagement manager will schedule a minimum two-hour meeting that works for you to get an overview of your key processes, including change management, access management, and vulnerability management. Additional meetings may be necessary depending on complexity.
- Readiness Meeting 3: Once your engagement manager has an understanding of your processes, they will provide a prioritized list of observations and recommendations. We will go over the list in a one-hour debrief meeting.
- Remediation & Engage: You will develop and execute remediation plans to get your environment ready for your engagement, but don’t worry, your engagement manager is here to help with any questions. Based on your remediation timeline, your manager will work with you to plan your engagement timeline and resources. BARR will execute an engagement letter for the examination with the confirmed timelines and key dates.
Looking Ahead to Examination Reporting
Once the readiness period is complete, you are ready for your examination. Like the readiness assessment, BARR will walk you through the process to ensure you pass with flying colors.
During the examination reporting period, your auditor will conduct virtual site visits, which include interviews, walkthroughs, and likely some additional evidence collection. Once a visit is complete and your auditor feels they have sufficient knowledge of how your company meets SOC standards and controls, BARR will begin drafting your report.
Stay tuned for the second part of this blog series on what to expect during your SOC audit. We’ll examine in more detail BARR’s process on the examination reporting period.
Interested in more information about how to initiate a readiness assessment for your SOC audit? Contact us today for a free consultation.