SOC Readiness Assessments assist companies in preparing for a future SOC 1 and/or SOC 2 audit, including both Type I and Type II reports. However, we highly recommend a readiness assessment for any company that plans to perform a Type 2 SOC audit as its initial audit. A SOC Readiness simply augments the overall engagement process for the actual SOC audit. It provides for a more streamlined, efficient audit and aids in mitigating any business interruption issues when conducting the SOC engagement itself.
The assessment is designed to identify the controls that should be implemented or enhanced prior to the actual audit. Some companies have existing control documentation and test their controls on a regular basis. GCPA can review those controls and identify improvement opportunities and in some cases reduce the number of identified controls due to redundancy or excessive non-key controls. For companies who have never identified or documented their controls, GCPA has developed an extensive internal controls database that assists clients in getting started with the identification of risks specific to their business and the associated control objectives.
The SOC Readiness Assessment provides an excellent introduction of the SOC methodology and process to client personnel. Additionally, the assessment establishes expectations for the future audit with regards to the time commitment required by key client personnel. Most importantly, the assessment provides the client with an initial draft of their description of controls and a gap analysis detailing the recommendations needed before the actual SOC audit.
Deliverables The primary SOC Readiness Assessment deliverables include a report containing the description of controls for use in the subsequent SOC audit. The report details the specific control objectives and the associated control activities. A gap analysis is also provided detailing improvement opportunities in the existing internal control environment that should be implemented prior to the execution of the SOC audit.
Type 1 SOC Audits
A “Type 1 Service Auditor’s Report” is a report on controls placed in operation as of a specific date. Type 1 reports provide independent third party verification by a licensed CPA firm. The service auditor expresses an opinion on (1) whether the service organization's description of its controls presents fairly, in all material respects, the relevant aspects of the service organization's controls that had been placed in operation as of a specific date, and (2) whether the controls were suitably designed to achieve specified control objectives. The auditor’s opinion deals with the fairness of presentation of the controls and the design of the controls in terms of their ability to meet defined control objectives. Since these reports only provide assurance over a single day, they are of limited value to third parties.
Unlike a Type 2 SOC audit, no testing is performed to determine the operating effectiveness of the controls described in the report. Therefore, a Type 1 report does not provide user organizations or their auditors with a basis for reducing their assessment of control risk below the maximum level.
During a Type 1 audit, auditors perform specific procedures to support the opinion letter accompanying the report. The opinion letter addresses the following two objectives:
1) Whether the description of the controls prepared by the service organization presents fairly, in all material respects, the relevant aspects of the service organization’s controls that had been placed in operation as of the specified review date; and
2) Whether the controls were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those controls were complied with satisfactorily.
The Type 1 report is generally used only for informational purposes and carry weight because a licensed third party CPA firm verified the information contained in the report. Another advantage to the Type 1 report is that it provides user organizations with relevant information while the company allows enough time to pass to ensure controls can be tested effectively for the Type 2 report. It communicates to the user organizations that the company is committed to the process of completing a Type 2 audit. Type 1 reports can also be used for marketing purposes to provide information to potential customers.
Type 2 SOC Audits
A “Type 2 Service Auditor’s Report” is a report on controls placed in operation and tests of operating effectiveness over a specific period of time. Type 2 reports provide independent third party verification by a licensed CPA firm and opinions on controls that were in place over a period of time (typically a period of six months or more). The opinion deals with the fairness of presentation of the controls, the design of the controls with regard to their ability to meet defined control objectives, and the operational effectiveness of those controls over the defined period. Third parties are better able to rely on tverification is provided regarding these matters for a substantial period of time.
During a Type 2 audit, auditors perform inquiry, observation, examination of documentation and re- performance testing of the service organization’s description of controls so that the auditor’s opinion can adequately address the following objectives:
1) Whether the description of the controls prepared by the service organization presents fairly, in all material respects, the relevant aspects of the service organization’s controls that had been placed in operation as of the specified review date;
2) Whether the controls were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those controls were complied with satisfactorily; and
3) Whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the specified review period.
The SOC audit guide recommends, but does not require, that type 2 examination periods be at least six months in length. Companies generally choose a review period between six and 12 months. There is no requirement or recommendation that the examination period falls completely within the calendar year.
Additionally, each service organization is responsible for making their own decisions regarding the type of audit they undergo, the timing of the audit, and the review period of the audit in the case of a type 2 audit.
User organizations desire a type 2 audit report that has an examination period with as many months as possible falling within their own fiscal year and an examination period end date that is within three months of their fiscal year end. Most service organizations have many user organizations and often cannot satisfy all of their clients if they only perform one audit per year, regardless of the length of their review period. However, this issue does not render the report useless, and audit guidance and SOX guidance provide specific directions for dealing with this common situation when it occurs.