With the implementation of SSAE 16, the AICPA has developed and termed two other reports delivered to service organizations as SOC 2 and SOC 3 reports. These reports verify that a service organization has been through an in-depth audit of the internal control processes related to controls over security, availability, processing integrity, confidentiality, and privacy of non-financial information. The AICPA and Canadian Institute of Chartered Accountants (CICA) developed the Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy as a standard for completing SOC 2 and SOC 3 services.
Two types of SOC reports
A SOC 1 Type I report identifies whether the service organizations’ internal controls in place are appropriately designed as of a specified date in time. A SOC 1 Type II report identifies whether the service organization’s internal controls are appropriately designed over a specified period of time, usually 6 to 12 months (can be as few as 2 months for SOC 2 & 3), and if the controls are operating with sufficient effectiveness during the same period of time.
What are the benefits of a readiness assessment?
- Helps ensure service organizations have sufficient internal controls in place to achieve an unqualified opinion from the independent service auditor.
- Helps service organizations determine if the scope of the SOC audit should be a Type I or Type II report.
- Helps service organizations determine for a Type I report the effective date the controls were placed in operation and for a Type II report what the reporting period should be.
The Rehmann Approach
Phase I — Project Planning
- Develop scope of work
- Define roles and responsibilities
- Gain an understanding of key business processes and related information technology controls
Phase II — Control Evaluation
- Assist in compiling documentation to support the description of controls
- Evaluate the business process controls and information technology controls
- Identify control deficiencies, if any
Phase III — Reporting
- Communicate control deficiencies to management
- Review management’s control remediation plans and timelines for completion
- Prepare the readiness assessment report that includes management’s remediation plans and timelines for completion