SOC Engagement Process

GCPA works closely with your organization in developing a successful roadmap for SOC compliance. We analyze your key business processes and objectives to give us valuable insight as to your needs regarding SOC compliance. The cost and time of completion for Type 1 and Type 2 engagements varies significantly; therefore, we strive to understand your business dynamics to provide you exactly what is needed.

Utilizing leading tools, expertise GCPA streamlines the control objective and control activity identification process by utilizing an extensive internal control database containing business process and information technology controls for multiple operating systems and applications?. Our extensive knowledge and experience enables us to quickly gain an understanding of your internal control environment and identify the key controls associated with your business process and IT environment.

Reducing time, effort, and costs of audits GCPA has worked with clients who have had SOC audits performed by other auditors. When we review the process and controls documentation, we are consistently able to reduce the number of control objectives by an average of 15-25%. This not only helps to reduce time, effort, and costs of the audit, but significantly increases the efficiencies associated with the business process. Clients are able to focus on the most important controls and not waste time and effort on controls that do not add value to the process, are redundant, or do not represent key controls.

Understanding the process The SOC engagement process begins with a meeting with key management involved with the process and IT environment being audited. If the client has had a SOC audit previously, we will review their controls documentation to gain an understanding of the process and to facilitate questions during the initial meeting.
After the initial meeting, we provide the client with a controls listing and sample documentation to facilitate the controls documentation process. Once we have a good draft of the controls documentation, we plan our on-site visit to confirm the controls and perform controls testing if a Type II report. Our average time on site is 3-4 days depending on the complexity of the process and number of control activities.

Our pre-designed report templates enable us to quickly turnaround the first report draft for management review. We typically issue the first draft to management within two weeks of completing controls testing. Depending on management’s availability, we are able to issue the final report within 3-4 weeks of completing controls testing.

Gray CPA, PLLC All Rights Reserved