Ready or Not, You Need a SOC Report
If your company performs services for other organizations, there’s a good chance that at least one of your clients will eventually request a Service Organization Control (SOC) report. These reports are often requested by businesses that are required to issue audited financial statements or by businesses that outsource functions that need to be secure. A SOC 1 report may be requested if your business manages a function that would be tested by the client’s accountant performing a financial statement audit, like payroll. A SOC 2 or 3 report may be requested if your business manages data or software for a client and that client wants assurances about how you protect and maintain the security, availability, processing integrity, confidentiality and/or privacy of the digital resources under your control.
Many executives learn about SOC reports at the worst possible time. A service business may receive a request from an existing client or prospect that asks for a SOC report when the business is already straining to manage significant growth. Suddenly, management learns that it needs to undergo an audit that it has never done before in order to issue a report that’s necessary to maintain a critical client relationship. The good news is that guidance is available from accounting firms like Hein who can help you prepare and issue the SOC report your clients are seeking without overwhelming your staff.
Step 1: The Right Accounting Firm is Key
Your accounting firm should be a trusted advisor on whom you rely for guidance when navigating through complex financial and operational challenges that your business faces. While any accounting firm can prepare and issue SOC reports, not all of them do. When it comes to SOC reports, you should choose a firm that has experience with the specialized audit requirements to attest to an organization’s controls. If your accountant doesn’t do this type of work, or if the firm has limited experience with SOC reporting, you may want to consider hiring a different firm such as Hein that has a dedicated team that will help you prepare and issue your SOC report.
The process of preparing your business for a SOC audit requires significant interaction and collaboration between your employees and your accounting firm. Your advisor should be able to demonstrate knowledge of the AICPA guidance for SOC reporting and have a track record of helping businesses like yours prepare for and complete the SOC reporting process.
Here are some questions to ask potential candidates:
- Does your firm regularly prepare SOC reports? Only accounting firms are allowed to prepare SOC reports, but not all of them do. You want to make sure that the accounting firm you select to prepare your SOC report has experience guiding businesses like yours through this complex process.
- How many times has your firm assisted businesses in preparing for their first SOC report? There is an extra layer of communication and business acumen required of an accountant who is helping a business issue its first SOC report. As your company goes through the process, your firm should assist you and your staff in understanding how to comply with the guidance and improve controls during the readiness assessment. To prepare for a SOC report, your firm works closely with your staff to identify gaps in internal controls and recommend improvements and systemic changes that will help your business close those gaps. This phase of the process requires a close working relationship between your employees and the firm’s staff.
- Do you have any references? Ask specifically about businesses for which the accounting firm has prepared a SOC report. Talk to those clients and ask questions about how effectively the firm identified and described control gaps. Was the firm able to clearly explain the modifications necessary to align the business’ control environments to AICPA guidance?
Step 2: The Readiness Assessment
The readiness assessment is a critical first step the business goes through during the initial SOC audit and reporting process. To perform the readiness assessment, your firm will collect the information needed to do the actual internal controls audit and examine the data just as it would as if it were issuing the actual report. Your firm then provides feedback on what controls in your organization may not be adequate according to the criteria set forth by the AICPA.
The readiness assessment should always be a collaborative process. The SOC report is not about CPAs playing “Gotcha” with growing businesses. It’s about identifying potential gaps within an organization’s internal control systems and helping that organization build a plan that it can execute to strengthen those controls to meet criteria established by the AICPA. When your firm delivers the results of the readiness assessment, you can and should ask specific questions about any deficiencies identified in order to correct them before proceeding with the formal internal controls audit and report. Inquiries could be similar to the following:
- If we don’t modify this control prior to the reporting period, will it result in a qualified report?
- Can you explain how you test this control so that we might better understand how to correct the problem?
- Can you help us develop an action plan to correct deficiencies you have identified?
The readiness assessment and the related follow-up are crucial to the overall success of a first time SOC audit and report. If you’ve chosen a firm with experience doing these types of reports, the feedback generated by the assessment should help your organization meet the AICPA’s guidance. At Hein, we focus on SOC reporting for businesses like yours. Our experience enables us to provide templates and suggestions that help your organization strengthen controls to acceptable levels in an efficient and in a cost effective manner.
Once the deficiencies have been identified and corrected, your management team will approve that the organization’s controls align properly with the financial control objectives or trust services principals that the AICPA has described for the type of SOC report being performed. From there, the firm supports management in the creation of a controls matrix and a narrative system description based on guidance released by the AICPA and examples supplied by the firm.
Regardless of the type of SOC report your organization needs, these two steps can go a long way toward making sure that your organization obtains a SOC report that builds trust for your brand with clients and prospects alike.
June 15, 2015