While outsourcing operational activities may increase efficiency, productivity, and cut costs, it may also increase significantly the operational risk levels. As a result, major financial or critical infrastructure organizations (User Entities) may be reluctant to outsource critical services to an external provider unless they can ensure the benefits of such a collaboration will outweigh the risks. Suppliers of such service environments (Service Organizations)  include data centers, infrastructure, cloud operations, application development, and support or IT services are often required to provide their clients with the assurance that their internal control environment is capable of delivering the expected results while operating in a secure and effective manner. The reporting based on the AICPA’s System and Organization Controls (SOC) provides such assurance on the reliability levels of these types of service organizations and their security posture.

For a Service Organization looking to obtain a SOC report, the organization must be audited by an independent third-party, usually a CPA firm. Depending on the client requirements and management objectives, the organization must decide on the type of SOC report they should complete:

• SOC 1 – Internal Control over Financial Reporting;
• SOC 2 –Trust Service Criteria;
• SOC 3 –Trust Services Criteria for General Use Report;

Type 1 – Reports on the accuracy of controls at a service organization at a specific point in time. The report also describes the organizational system and how it works to achieve goals related to customer satisfaction.

Type 2 – Reports on the accuracy of the presentation of Management’s descriptions of the service organization system and the accuracy, the efficiency of the design of the controls to achieve the related control objectives over a time period (typically 6 months). This type of SOC report covers as necessary, the control framework based on the principles of Security, Availability, Confidentiality, Processing Integrity, and Privacy.

Once the Service Organization identifies the suitable SOC report, the auditor firm could perform a SOC Readiness Assessment. Depending on how the organization scores during this exercise, it might be possible for the audit organization to generate the actual SOC report directly.
However, given the complexity of the requirements, the Service Organization may not be ready or is lacking significant controls, documents, or artifacts related to the scope of the report.
At this point, the organization may attempt to implement the controls and create the necessary documentation by itself, which, depending on the internal resources and knowledge, can be a daunting task leading to sunk costs, lost time, and incorrect documentation and artifact generation. More importantly, deviations and non-conformities identified during the audit may be included in the SOC report by the auditors and therefore communicated to the client organization.

Seratos helps its clients in successfully achieving SOC compliance. From selecting the right auditor organization to providing support in generating the actual report, our consultants will deliver the right combination of skills and knowledge in a timely manner so your organization achieves the intended results. Our consultants work jointly with the auditors and internal stakeholders to establish a realistic timeline for the SOC project. Our expertise in quality and information security management allows us to quickly identify existing operational and business controls and create necessary missing SOC controls in alignment with the requirements, including:

• Relevant Policies and Procedures including operational documentation, process diagrams, information security policies and procedures, work instructions;
• Screenshots and artifacts including system settings for relevant infrastructure and software will be identified and provided to the auditors;
• Evidence of specific activities and records through memoranda and internal attestations will be created and provided to the auditors;
• Seratos consultants will perform a risk assessment and will provide the organization with the necessary methodology, tools, and training required to ensure SOC 2 compliance
• Evidence of process and system monitoring through the use of logs will be provided to ensure the effectiveness of implemented controls;