SOC Readiness | New SOC Guidelines
Trying to make sense of the new SOC guidelines? If your company needs a SOC report required by clients, business partners, or other third parties; you need to be aware of the latest guidelines published by the AICPA.
What Do They Mean For Your Company?
The examination performed in the past for SOC reporting will no longer suffice. Board of Directors and C-level management involvement and oversight is required and relegating the SOC process to mid-level management is no longer an option. Since CFOs are responsible for internal controls, they are ultimately accountable for a proper SOC engagement. And, on an on-going basis, the CFO and other C-level management will need to stay engaged, continually monitor internal controls and outside vendors; and re-evaluate risk and mitigation strategies.
The AICPA has issued new SOC for Service Organization logos and SOC for Cybersecurity guidelines. Coming soon will be SOC for Vendor Supply Chains guidelines. Additionally, SSAE16 has been updated to SSAE18 effective 5/1/2017 and will have the following impact on upcoming SOC examinations:
- Evaluation of the reliability of information produced by the entity (IPE). Examiners will now be required to determine the reliability (including completeness of populations) of IPE and describe their tests on the reliability of IPE.
- Vendor management and monitoring of subservice organizations by the service organization.
- Identification and reporting on complementary subservice organization controls (CSOC). Included in SOC 2 examinations, but disclosure now required for SOC 1 examinations.
The former SOC 2 framework has been updated and became effective 12/15/2018. The AICPA has released a mapping from the former trust services principles and criteria to the new trust services criteria (TSC). The SOC 2 TSCs were revised to align with the COSO framework (Committee of Sponsoring Organizations of the Treadway Commission’s 2013 Internal Control – Integrated Framework) and new criteria have been added which address:
- Board/Senior Management oversight
- Procedures to identify vulnerabilities
- Business disruption risk mitigation
- Vendor and business risk management
- Cybersecurity risk identification and mitigation
Are You Confident about Your Company’s SOC Readiness?
Preparing for a SOC audit is very important – and a sound approach, with experienced professionals, will provide long-term value to the organization. Readi Consulting is able to answer questions about the latest SOC requirements and SOC readiness. Contact us for a consultation and be confident your upcoming SOC engagement is successful.