Demonstrating your cybersecurity practices to potential customers has become an expectation for vendors. As one of the most common reports you can obtain in cybersecurity, System and Organization Controls (SOC) reports help differentiate your organization by reporting on controls and providing oversight of your organization’s governance and risk management process.
A few benefits of SOC reports include:
- Increase trust and transparency with your internal and external and stakeholders;
- Reduce costs of compliance and number of on-site audits;
- Ensure your controls are appropriately designed and operating effectively to mitigate risks; and,
- Satisfy your audit requirement to meet your security and compliance goals.
This is the second installment of a two-part series on what to expect from each stage of the SOC audit. See the first blog on Phase 1: The Readiness Assessment which outlines what your organization can do to prepare for your SOC examination.
The SOC Examination
The SOC examination is the meat to obtaining your SOC report. It’s the main event of your engagement, and this is where you’ll work with your engagement lead to create a plan and assess your controls through walkthroughs which leads to your final deliverable.
A SOC examination will typically take 3-12 months to complete. Below is a list of SOC reports that BARR offers and how they differ from one another:
- SOC 1: A SOC 1 report, once known as SSAE16, helps service organizations demonstrate their controls specific to the client’s financial reporting.
- SOC 2: SOC 2 reports apply more broadly to operational controls covering one or more of the five Trust Services Criteria: Security, availability, confidentiality, processing integrity, and/or privacy across a variety of systems.
- SOC 3: Much like the SOC 2 report, the SOC 3 examination reports on a service provider’s system security, availability, processing integrity, confidentiality, and/or privacy related to the Trust Services Criteria. This report is less detailed and can be distributed on a website for the public to read.
- SOC for Cybersecurity: Launched in 2017, SOC for Cybersecurity is a reporting framework over an entire entity’s cybersecurity risk management program and related controls.
As your trusted partner, BARR will walk you through each of the following steps to obtain your SOC report and ensure you reach your cybersecurity goals.
Create a Plan
A kickoff call is scheduled to confirm everyone is on the same page with the scope, timelines, deliverables, and personnel needed for the assessment. You will be responsible for confirming control wording and drafting your system description. BARR will provide information requests based on the agreed scope and controls.
This happens within 60-120 days until the end of the examination period.
Assess your Controls
Your engagement team will schedule a walkthrough with your team to assess the controls and any preliminary issues. Your time is valuable, so in order to leverage our efficiencies, BARR will review your provided information requests and control activity in compliance automation software prior to walkthroughs.
Walkthrough duration is dependent on your environment complexity and size; however, four hours is the typical time commitment.
What is a walkthrough?
A walkthrough is a meeting, or series of meetings, to discuss the design and operation of your organization’s control environment. This is a time for the engagement team to ask questions concerning how the controls are designed and how they operate, providing the engagement team with a deeper understanding of your control environment to support our assessment.
Depending on your reporting period, walkthroughs are most effective in the following time periods:
- 30 days before period end (3 month reporting period)
- 60 days before period end (6 month reporting period)
- 90 days before period end (12 month reporting period)
What You Gain—SOC Reports
You’ve made it through your examination—now what can you expect? Once you’ve completed your examination, BARR will provide a draft of your report no later than 30 days after the examination period ends. After you’ve reviewed the report, we perform a final editorial and quality review. You’ll then sign off on the management representation letter.
Finally, BARR awards you with your SOC report which you can use to ensure customer trust. We not only celebrate with you but optimize your experience with improved security and next steps for continued success.
Type 1 Report: The SOC 2 Type 1 Report (referred to as a point-in-time report), includes an opinion over the suitability of the design of controls at the service organization at a specific point in time. An initial type 1 report often serves as the starting point for subsequent type 2 reviews.
Type 2 Report: The SOC 2 Type 2 Report (referred to as a period of time report) includes an opinion over the suitability of the design of controls at the service organization and the operating effectiveness of the controls throughout a specified period of time. This type of report is often issued annually.
With SOC 1, 2, and SOC for Cybersecurity, you have the option of selecting which report benefits your organization’s needs at the time. However, it’s important to note that SOC 3 examinations are only available as a Type 2 report.
The SOC 3 report is designed for users who want assurance on a service organization’s controls, but do not have the need for the detailed, comprehensive SOC 2 report. Because SOC 3 reports are considered to be general use reports, there is the option to distribute the report for marketing purposes, such as posting it to your website.
Once you receive your report, BARR will provide you with a promotional package and schedule a debrief to review improvement opportunities for your security program, rate the engagement, and plan your next engagement.
Interested in learning more about how to differentiate your organization with a SOC examination? Contact us today.