How long does it take to get a SOC Report?

SOC COMPLIANCE

By Scott M. McAuliffe, CPA, CISA, CFE | Risk Advisory Services Partner

Part 2 of a 4 Part Series on SOC Reporting

Service Organizations May Not Be Ready For the SOC Report Examination Process.

Once a service organization has determined the type of SOC report that is appropriate for the services it provides, the next question that a service organization executive asks, is how long will it take to get the report? In most cases, the service organization is not be ready to immediately go through the SOC report examination process. To determine if your service organization is ready, you need to ask the following:

• For the services that you provide to customers, are your processes, systems, and controls thoroughly documented?
• How strong are your entity-level controls? Do you have a Code of Conduct? Do you perform background checks, have job descriptions, and provide adequate training to employees? Do you conduct risk assessments?
• Do you have controls in place to monitor the service organizations that you use and rely upon as part of the services you provide to your customers?
• Do you maintain support for your controls so that they can be tested? For instance, are you aware of any reviews/approvals that are not documented (e.g., an approval that is provided verbally or not specifically notated or maintained)?
• Are your controls consistently performed? For example, for every change to a user’s access is there a properly approved user access request form or in certain cases when time does not permit or the approver is out of the office, was the request processed without the approval to keep the business going?

Performing A Readiness Assessment

In most cases, a service provider will answer yes to most or all of these questions. As a result, the majority of service organization going through the SOC process for the first time will want to have a Readiness Assessment performed. During a Readiness Assessment, a CPA firm or other competent consultant will assist the service provider with documenting its processes, systems, and controls, as well as perform a gap analysis to determine if there are missing controls or controls do not seem to be operating consistently. Depending on the scope and complexity of the organization, the Readiness Assessment process can take from a couple of weeks to several months.

Once the Readiness Assessment is completed, the service organization will need to remediate any control gaps prior to starting the SOC report examination process. Depending on the service provider, it can take weeks to months to remediate these gaps depending on its resources, motivation (how hard customers are pressuring for the report), and complexity/severity of the gaps.

As one can see, a service organization will need to plan ahead when seeking to obtain a SOC report to provide it with adequate time to go through a readiness assessment process and remediate any gaps.

Are you considering a SOC report and need help with the Readiness Assessment? Keiter’s Risk Advisory Services team can help you.

Access all of our articles in our SOC Reporting series

• Does your service organization need a System and organization Control (SOC) Report?
• When to Choose a SOC 1 vs SOC 2 Report
• 8 Steps to Prepare for a System and Organization Control Report