SOC audits: Show clients your company is secure
By Allison Wilson, CPA
With growing concerns about data security and internal controls, companies are increasingly turning to System and Organization Controls (SOC) audits to assure clients their confidential information is safe and the service they are paying for is secure.
Just as critical, SOC readiness assessments allows companies to spot any issues with their policies and procedures and shore up weaknesses prior to opining on an examination.
From firms involved in medical billing and tax collection to payroll processing and hospitals, SOC audits are essential. More recently, companies with apps that provide services or pay people are conducting SOC audits.
SOC audits come in two types: SOC 1, covering all internal financial processes, and SOC 2 and 3, looking at the storage and dissemination of electronic data, including cybersecurity.
Typically, SOC audits look at a company’s operations over an entire year. However, interim audits can be performed. For example, if a payroll processor is bidding on a contract, it may deliver results from a three- or six-month audit to prove necessary protections are in place.
Audit prep and the SOC readiness assessment
To ensure a successful SOC audit, many companies initially undergo a readiness assessment, which looks at existing safeguards and procedures to see if they are adequate to the task. Unlike an audit, the assessment does not test the various systems but only looks at whether it appears any changes or improvements are needed.
For the readiness assessment and audit, companies need to document all processes. Over time, the way business is conducted may change and written policies and procedures must reflect current operations.
SOC 1 audits
A SOC 1 audit is where the rubber meets the road. Are the policies and procedures for handling data and financial transactions followed? Are they sufficient? Are there adequate safeguards against internal and external fraud? Is the software used suitable and accurate?
In one case, a SOC 1 audit found software used to transmit financial information to and from clients was not as secure as it could be, leading to a tax collector adopting a more secure program.
SOC audits at their heart are about testing, and SOC 1 audits take real-time looks at processes. Significantly, the review looks for what is not there – ways to improve security or streamline procedures. If software performs calculations, auditors look at the entire data trail to ensure correct information is received and that the result is accurate.
Audits look at the physical security, from document storage to whether there is sufficient supervision to guard against employee mistakes – or theft.
SOC 2 audits
SOC 2 audits concentrate on data security, including a company’s cyber resiliency. The review look at Trust Service Criteria, encompassing:
- Security: Are the company’s data and computing systems protecting against unauthorized access?
- Availability: Are the company’s systems up to meeting the firm's needs and its clients?
- Processing integrity: Are the processing systems complete and accurate?
- Confidentiality: Are there necessary safeguards to protect confidential information at all times?
- Privacy: Is confidential information collected, used, and stored in a way that protects against unauthorized dissemination or access?
Again, much of a SOC 2 audit focuses on electronic collection, storing, and disseminating data. These audits cover everything from whether software is up-to-date and suitable to the task to how employees are trained against phishing attempts.
SOC 3 – showing the results safely
SOC audits detail a lot of sensitive information about internal processes. A SOC 3 is a sanitized version, giving enough information to satisfy clients that a company has good security and operations without details that could compromise security.
As data breaches and fraud continue to make headlines, companies and their clients want assurance that confidential information is secure and that financial services such as billing, tax and payroll processing are safe and accurate.
SOC audits show clients a company is serious about protecting information and, just as importantly, help companies improve internal controls.
The Boyer & Ritter team is ready to help your business prove it is a good partner that takes security seriously.