Demonstrating your cybersecurity practices to potential customers has become an expectation for vendors. As one of the most common reports you can obtain in cybersecurity, System and Organization Controls (SOC) reports help differentiate your organization by reporting on controls and providing oversight of your organization’s governance and risk management process.
A few benefits of SOC reports include:
This is the second installment of a two-part series on what to expect from each stage of the SOC audit. See the first blog on Phase 1: The Readiness Assessment which outlines what your organization can do to prepare for your SOC examination.
Currently, BARR offers SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity examinations. Let’s take a look at what the engagement process looks like and what you’ll gain from your SOC examination.
The SOC examination is the meat to obtaining your SOC report. It’s the main event of your engagement, and this is where you’ll work with your engagement lead to create a plan and assess your controls through walkthroughs which leads to your final deliverable.
A SOC examination will typically take 3-12 months to complete. Below is a list of SOC reports that BARR offers and how they differ from one another:
As your trusted partner, BARR will walk you through each of the following steps to obtain your SOC report and ensure you reach your cybersecurity goals.
A kickoff call is scheduled to confirm everyone is on the same page with the scope, timelines, deliverables, and personnel needed for the assessment. You will be responsible for confirming control wording and drafting your system description. BARR will provide information requests based on the agreed scope and controls.
This happens within 60-120 days until the end of the examination period.
Your engagement team will schedule a walkthrough with your team to assess the controls and any preliminary issues. Your time is valuable, so in order to leverage our efficiencies, BARR will review your provided information requests and control activity in compliance automation software prior to walkthroughs.
Walkthrough duration is dependent on your environment complexity and size; however, four hours is the typical time commitment.
A walkthrough is a meeting, or series of meetings, to discuss the design and operation of your organization’s control environment. This is a time for the engagement team to ask questions concerning how the controls are designed and how they operate, providing the engagement team with a deeper understanding of your control environment to support our assessment.
Depending on your reporting period, walkthroughs are most effective in the following time periods:
You’ve made it through your examination—now what can you expect? Once you’ve completed your examination, BARR will provide a draft of your report no later than 30 days after the examination period ends. After you’ve reviewed the report, we perform a final editorial and quality review. You’ll then sign off on the management representation letter.
Finally, BARR awards you with your SOC report which you can use to ensure customer trust. We not only celebrate with you but optimize your experience with improved security and next steps for continued success.
Type 1 Report: The SOC 2 Type 1 Report (referred to as a point-in-time report), includes an opinion over the suitability of the design of controls at the service organization at a specific point in time. An initial type 1 report often serves as the starting point for subsequent type 2 reviews.
Type 2 Report: The SOC 2 Type 2 Report (referred to as a period of time report) includes an opinion over the suitability of the design of controls at the service organization and the operating effectiveness of the controls throughout a specified period of time. This type of report is often issued annually.
With SOC 1, 2, and SOC for Cybersecurity, you have the option of selecting which report benefits your organization’s needs at the time. However, it’s important to note that SOC 3 examinations are only available as a Type 2 report.
The SOC 3 report is designed for users who want assurance on a service organization’s controls, but do not have the need for the detailed, comprehensive SOC 2 report. Because SOC 3 reports are considered to be general use reports, there is the option to distribute the report for marketing purposes, such as posting it to your website.
Once you receive your report, BARR will provide you with a promotional package and schedule a debrief to review improvement opportunities for your security program, rate the engagement, and plan your next engagement.
Interested in learning more about how to differentiate your organization with a SOC examination? Contact us today.