In the second blog of this series, ‘What is the ROI of a SOC Report?’,' the benefits of a SOC examination were discussed. Now that you know the value of SOC examinations, we we will cover the process and duration of getting a SOC engagement.
Every organization is different and we tailor our approach to each client. Due to the variability of applicable circumstances and the versatility of these reports, it is not possible to provide an exact timeline. However, here is what you can expect:
- SOC 2 engagements, can be completed as of a date in time (Type 1) or over a period of time (Type 2). The type of engagement selected will obviously have an impact on the duration of planning, opportunities assessments, opportunity remediation, audit fieldwork, wrap-up, and report preparation.
- SOC for Cybersecurity engagements are only completed as Type 2, which are over a period of time.
See below for the stages of the SOC examination process:
Planning is crucial to prioritizing, effectively communicating, and setting the scope of the engagement. This stage will include selection of the criteria that will be tested and included in the final report. From there the nature, timing, and extent of audit testing will be determined and coordinated with the appropriate staff members. This stage can take from 1 to 3 weeks.
Most organizations choose to have an Opportunity Assessment completed prior to the SOC examination. This allows your organization to see where there are opportunities for improvement in the current environment when evaluating the requirements of the specified criteria (NIST CSF, ISO 27001/27002 (2013), or AICPA TSC). Opportunities are usually classified into two categories, those that are required to meet the specified criteria, and those that are desired, but not necessary with respect to the criteria (wish list). These opportunities are remediated prior to the beginning of the SOC examination. This stage can take from 1 to 8 weeks.
Remediate Identified Issues
During this stage management remediates the identified opportunities, thus timing will be contingent upon management’s resources and abilities. Setting goals and monitoring progress is imperative at this stage in order to reduce the time period of the overall engagement. This stage averages 4 to 8 weeks.
When the necessary opportunities are remediated, audit fieldwork can begin. Auditors will collect and examine evidence to support their opinion in the final report. One of the goals of the auditor is to minimize the amount of staff time required to respond to requests for information and other inquiries. To achieve this goal, this stage is usually a mix of on site and remote audit work. This stage can take 2 weeks to 3 months.
Wrap-up and Audit Report Issuance
Once audit fieldwork is completed, a draft of the report will be prepared. There are also several checklists and required schedules the auditor is required to complete in order to comply with AICPA’s professional standards. The firm also conducts a second partner review on all reports prior to issuance as part of our commitment to audit quality. Once the necessary reviews are complete, a draft will be provided to the client for review and discussion purposes prior to final issuance. This stage can take from 2 to 4 weeks.
Maintaining your Cybersecurity Risk Management Program
SOC reports are usually issued annually, but the Cybersecurity Risk Management Program must be ongoing. It is recommended that an internal audit process be implemented to ensure ongoing compliance with the program. Achieving an effective internal audit function to monitor the Cybersecurity Risk Management Program is easier than it might sound. Through the Opportunity Assessment stage and Audit Fieldwork, recommendations can be discussed to find the most efficient solution.
This portion should give you an idea of how the SOC examination process works and how long it takes. Watch for our upcoming posts which will take a detailed look at each SOC examination:
‘SOC for Cybersecurity: Breaking Down the Report’
‘SOC 2: Breaking Down the Report’