Undergoing SOC II Type I
This past year (2020) Quantalytix worked on becoming SOC 2 Type 1 compliant. As part of this endeavor, I was tasked with leading the project and wanted to use this article as a way to gather my thoughts on the undertaking and share the lessons I learned along the way.
For those unfamiliar with the concept, “SOC” stands for System and Organization Controls. As the name implies, the focus of the certification is on the systems and controls your organization has in place to ensure timely, accurate, and suitable delivery of business objectives.
This is important not only as an internal objective but also as a way to ensure clients (typically large enterprises) you have the systems in place to deliver sound services — ultimately building trust. This comes into play especially during procurement and can help shorten lengthy sales cycles.
So where do you even begin when it comes to this process?
First, you will need to find a firm who is capable of conducting the audit and issuing the certification. Quantalytix went with Warren Averett, a firm that provides accounting services, technology resources, HR solutions & advisory needs.
Once both parties agree to the engagement, you need to determine a date you would like to have the audit complete by. Once this is determined, you will be issued a letter stating the nature of the engagement. At this point, you will begin the actual work to become SOC 2 Type 1 compliant.
Order of Operations
When I first began working on SOC it was fairly overwhelming when trying to determine where to start. Online resources painted a high-level overview of what it was but didn’t necessarily over tactical advice for how to begin. However, having gone through the process here is my advice:
Step 1: Build your ‘Controls Matrix’
From my experience, this will come in the form of a multi-tab Excel spreadsheet containing a voluminous list of criteria your organization should, or will need to, have systems, controls, and processes in place for.
My advice is to take it one tab and one row at a time. What you will find is that although there are numerous criteria (rows) there will likely be overlap between your responses. As you fill in your responses, use scheduled calls with your auditor to gain clarity on whether certain overlapping responses are appropriate or whether a more specific response is required.
As you work your way through the Excel sheet, you will likely find certain gaps in controls. Take note of these and come up with solutions. Again, use the scheduled calls with your auditor to get clarity on whether the solutions you arrive at meet the criteria listed in the Controls Matrix.
Step 2: The Risk Assessment
Within the Controls Matrix, there is reference to what is called a Risk Assessment. This document is a separate entity from the Controls Matrix and, as the name implies, is used to assess the risks to your organization and operations.
Similar to the Controls Matrix, this document can also be created in Microsoft Excel or Word in table format. Basic headings within the table should include things like area of impact, threat, data type impacted, risk type, likelihood of occurrence, potential damage to company, adequacy of current controls, and exposure. The table should also list the key controls in place to address each risk while referencing the specific Control Criterion (as found in the Controls Matrix).
Step 3: Controls Description
Finally comes the Controls Description. As the name implies, this document is a written description of your company’s Systems and the Controls in place. The meat of this document will be in Section III (of V total). This section is the System Description and ought to be guided by what is written in your controls matrix. The description does not have to be exhaustive and include every individual control, but instead, cover the larger criteria items. You will also need to include some high-level background information on your organization such as mission, organizational structure, and services.
Step 4: Review and Approval
Once you complete the Controls Description you are ready for final submission. At this point the firm conducting the audit will review all policies and procedures that have been designed and implemented to complete their documentation of the examination and undergo Partner Review and issue the final report and opinion related to the SOC 2 report.
