First Time SOC Audit? Common Issues You May Encounter
posted Jun 25, 2018 by Daniel M. Andrea, CPA, CITP, CISA in the Business Blog
Do you provide critical out sourced services to your customers? Your customers might expect you to have a Service Organization Control (SOC) report in place, which requires an audit. If you’re a technology company, this is especially important. Although all SOC reports (SOC 1, SOC 2 or SOC 3) address controls over information technology security and operations, certain components of these examinations take on an added focus for technology service companies.
4 common issues
As you work through your first SOC examination, here are some common issues that I have encountered that will negatively impact an auditor’s opinion of your controls.
1. Failure to formalize risk assessment
I find that companies (technology in particular) often fail to formalize their risk assessment process. An entity’s risk assessment is its identification, analysis, and management of risks relevant to its internal operations and to user organizations (i.e. its customers). As part of the risk assessment, each risk is documented and assigned a weighted score. The higher the score, the more prevalent the risk. The higher risk items are prioritized with appropriate controls implemented and monitored to reduce the risk to an acceptable level. This is a continuous process; organizations need to revisit and revise upon changes in business operations, technologies or the regulatory environment.
2. Failure to have a robust Vendor Management Program
The most significant change in the requirements that has to be met by a service organization is ensuring that its vendor management program for subservice providers (for example colocation facilities) is significantly robust. SSAE 18 (the standard associated with SOC reporting) requires that service organizations implement processes that monitor the controls at subservice organizations. SSAE 18 provides the following control suggestions:
- Review and reconcile output reports.
- Hold periodic discussions with the subservice organization.
- Make regular site visits to the subservice organization.
- Test controls at the subservice organization by members of the service organization’s internal audit function.
- Review Type I or Type II reports on the subservice organization’s system.
- Monitor external communications, such as customer complaints relevant to the services by the subservice organization.
3. Failure to prioritize system development activities
As you may know, there are several methods of developing software—two of those being the waterfall and agile methodologies. The waterfall approach is the traditional software development where a project is broken up into distinct stages that must be completed in sequence. Essentially you must complete one stage before you can proceed to the next one.
The agile approach, on the other hand, focuses on being lean and producing viable products over set periods of time (improving with each iteration). The agile approach emphasizes teamwork, user feedback, adaptation and continuous improvement.
As more and more companies adopt agile development methodologies such as Scrum, controls throughout the system development process become blurred versus the control points typically resident in a more traditional “Waterfall” approach. Although there are numerous benefits and efficiencies to be derived under an agile approach – we often see key control points minimized for the sake of delivering product features in two-week “sprints” often used in the agile process.
4. Failure to have a formal data classification policy
Finally, it is imperative for companies that may host, manage, store or otherwise have access to customer data, to have a formalized Data Classification Policy. Data Classification reflects the identification and “tiering” of different types of data relative to its confidentiality, security, integrity or availability. If organizations don’t know what data they have, it is difficult to implement an approach to secure this data.
If you don’t have these three areas covered by your current practices, you’ll want to look to update your methods and policies to be in a good place for your first SOC audit. An auditor will want to ensure that your organization has the right controls in place to address cyber risks in the best way possible.
Questions on SOC Examination Issues? Reach out to our Information Technology team today.