ISAE 3402 | SOC 1
Adapted to an organisation?
Systems and Controls – SOC reporting revolves around controls. An ISAE 3402 | SOC 1 report focuses on financial outsourcing, including asset management, SaaS providers (financial software), data centers (storage of financial data). The SOC 2 report targets a broader scope for user organizations with additional requirements on security, availability, processing integrity, confidentiality, and privacy. Our consultants guide many organizations in achieving the ultimate goal; a professional SOC report and an approving statement. What are the necessary steps to achieve this?
The Method
The initial steps involve understanding the criteria, selecting the right audit scope, and following a structured approach for implementation. In this article, we outline how this process unfolds. Obtaining an approved assurance statement relies on various factors and requires significant discipline from your employees in adhering to procedures and performing controls, but effective structuring and planning can greatly assist!
Criteria
The criteria for an ISAE 3402 | SOC 1 report mainly depend on the reporting procedures of the user organization, the SLA agreement, and other requirements of the user organization. The criteria for an ISAE 3000 | SOC 2 report are developed by the American Institute of Certified Public Accountants (AICPA). The AICPA has developed criteria for trust services that are more descriptive and cover the control environment, risk management, communication, detailed controls, and detailed technical criteria.
In other words, the Trust Service Criteria broadly outline what needs to be done, but it is up to organizations to develop controls. Auditors verifying the organization’s controls through SOC audits observe and rephrase controls to determine if they are well-established, exist, and function effectively to achieve the desired outcome. The first step in the SOC implementation process is defining the audit scope.
Scope of Control
Gaining an overview of the environment and systems is crucial for defining the scope. Therefore, Risklane SOC implementation projects commence with a thorough analysis of the organization, infrastructure, services provided, and processes. Without this analysis, the quality of the SOC report may not be optimal, ultimately leading to a qualified opinion or, at the very least, an ineffective ISAE 3402 or ISAE 3000 audit. For an ISAE 3000 | SOC 2 report, the next step is understanding the Trust Service Criteria.
Understanding Trust Service Criteria
The first step to understanding the criteria is acquiring them from the AICPA website and studying them in relation to the defined scope. The Trust Service Criteria are contained in an extensive document, and the specific language may sometimes be challenging to comprehend, but investing time in studying them will pay off in later stages of the audit. The Trust Service Criteria include examples for each criterion of the risks and controls that typically mitigate these risks. After understanding the criteria, controls need to be mapped to risks and vice versa.
Mapping Risks and Controls
The most common errors we identify in existing frameworks are unmatched or redundant controls. Unmatched internal control measures are those that do not effectively cover a defined risk or risks for which internal control measures are lacking (unmatched internal control measures). Redundant internal control measures are defined as internal control measures covered by other internal control measures or not covering any risk at all. These redundant controls essentially exist without a real purpose. After this analysis and matching, the next step is creating a control matrix.
Creating a Control Matrix
Documenting control objectives and related controls in a structured control matrix will be beneficial for more than one reason; it will become the source for how risk controls are structured and implemented and will be a significant reference document for your SOC auditors.
Thus, the Trust Service Criteria related to monitoring controls are linked to a list of affirmative controls, demonstrating how these controls mitigate the relevant risk, are well-designed, and effective. In our experience, these should be as detailed as possible; who performs the control? What information is used? What is the outcome? How is this documented? Answering these questions will be very helpful for your auditor to validate that the listed internal control measures are present, designed to achieve control objectives, and effective. In future articles, we will delve deeper into how to structure your control framework. Following this phase, the readiness assessment (pre-audit) ensues, after which the reporting is tailored, and the final audit can be prepared.
Audit Preparation
The process described above may seem a bit daunting, but do not panic. We can support you in this regard. We can help you understand the Trust Service Criteria and advise you on how to effectively align controls with risks and remove redundant controls. Of course, you can also obtain a ControlReports license for ISAE 3402 | SOC 1 implementation or ISAE 3000 | SOC 2 implementation, which provides a well-defined approach and effective workflow for examining, understanding, and defining the different elements. Both ultimately result in SOC reporting in accordance with our industry best practices, based on years of experience. Contact Securance (+31) 30 2800888.