By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
By Chris Moschella, Risk Advisory Services Senior Manager
SOC Audit Challenge: The Generation and Preservation of Evidence
This is Part 1 of a two-part series on the two biggest challenges we see most clients face in SOC audits.
These concepts are equally applicable to other types of SOC audits including SOC 1, SOC 3, and SOC for Cybersecurity.
A System and Organization Control (SOC) 2 report documents the results of an auditor’s examination of the accuracy of the service organization’s description of its system, the design effectiveness of the internal controls, and the operating effectiveness of internal controls.
Evidence of Controls
A control operated effectively if, throughout the entire audit period, the control was consistently performed in accordance with the underlying procedures. To test operating effectiveness, your SOC auditor will examine evidence that your organization produces when executing the control. Unfortunately, your auditor cannot rely solely upon your representations that you performed a control, they need evidence.
It’s not that your auditor doesn’t trust you; it’s that they can’t trust you. The auditor’s evidentiary requirements for SOC 1 and SOC 2 exams are documented in SSAE 18. In fact, the word “evidence” appears 317 times. Fortunately, organizations do not need wade through dense audit guidance to understand auditor expectations. You can safely boil it down to this maxim: If it wasn’t documented, it didn’t occur.
Consistently generating sufficient audit evidence is easily one of the most significant challenges faced by a service organization preparing for or undergoing a SOC exam. In our experience performing SOC 1 and SOC 2 readiness for our clients, we’ve found that most organizations have most of the controls in place that they will need for the audit. However, they generally do not create and retain the evidence that would be needed to prove to an auditor that the control was performed. For most small and midsize businesses, there is simply no reason to create and retain this documentation unless you need it for compliance purposes.
Take this very common example of a user access request control procedure. Note the differences in documentation retained in an organization that has a SOC 2 ready process.
|Not SOC 2 Ready||SOC 2 Ready|
|Prior to granting user access to the computer system, the user’s supervisor requests in person, over the phone, or via email the user’s access.||Prior to granting user access to the computer system, the user’s supervisor completes a computerized form that indicates the specific roles to which the user requires access.|
|Evidence Retained: Sporadic evidence is retained in email only. If the employees that are party to the email leave the organization, the little evidence that exists may be destroyed.||Evidence Retained: The computerized form automatically documents approvals from the employee’s supervisor. The request is timestamped, so the auditor can verify that access was not granted prior to being approved.|
Preparing for a SOC 2 Exam – Organizational Culture Changes
As your organization prepares for a SOC 2 exam, there is typically a cultural change that must occur. The control consciousness of the entire organization must be elevated. Staff in the organization are accustomed to doing things a certain way, and the rigor of SOC 2 documentation and evidentiary requirements will undoubtedly create more work to do the same job. In every organization, some staff will be obstinate to the additional formalities they see as adding no value. This can lead to testing exceptions in the SOC report. Given the foregoing example, it is not hard to imagine a situation where an organization has a well-designed electronic access request form, but an employee simply calls the IT department to request access, bypassing the form. Instead of asking the person to complete the form, the IT staff simply grants the access. These situations frequently occur and must be avoided.
Service organization management must take a lead role here. Organizations with management leading the way by establishing a strong tone at the top and leading by example are always to better positioned than those that don’t. It isn’t true that, just because something is important to management, it will always be important to all staff, but the inverse is almost always true. If something is not important to management, it will almost certainly not be important to staff.
One of the biggest challenges faced by organizations undergoing a SOC audit is the generation and preservation of evidence to provide to your auditors to demonstrate your controls are operating effectively. You can generally assume that auditors follow the rule: If it wasn’t documented, it didn’t occur. Most organizations will need to modify their procedures so that the controls generate the evidence auditors are required to obtain. Service organization staff must be made to understand that the process must be followed to the maximum extent possible. Taking shortcuts leads to testing exceptions that are disclosed in the report, and nobody wants that. Organization management plays a critical role by establishing a strong tone at the top, thereby elevating the control consciousness of the entire organization, improving the likelihood for success.
Keiter provides SOC Exam and Exam Readiness Services for all types of SOC exams. Our SOC services are provided by our Risk Advisory Services Team, which is led by experienced CPAs, CISAs, and technology professionals with industry experience. Our Risk Advisory Teams services a variety of industries and business types.
Please contact us to discuss your company’s SOC needs. Risk Advisory Services Team | Email | Call: 804.747.0000
Additional SOC Resources
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.