Blog

When planning for a SOC examination, there are several decisions that the service organization undergoing the evaluation must make in order to ensure their needs—as well as those of their customers—are met, be it deciding which vendors are subservice organizations, treatment of subservice organizations (carve-out vs. inclusive), or which type of report you need. Another key decision you must make is determining your SOC reporting period, and there are a few factors to consider before you do so.

For anyone immersed in digital technology, you know that artificial intelligence (AI) is all the rage right now, and for good reason, the use cases for this technology are growing all the time. But as AI continues to enmesh with daily life as well as business, security concerns have grown in parallel, as have questions regarding the implications on organizations and their ongoing compliance efforts. At the top of mind for many has been how AI factors into SOC 2 examinations.

As they’re now two of the most popular compliance initiatives in the world, many organizations often choose to pursue either SOC 2 or ISO 27001, and others are tackling both. In fact, there are strategic benefits to be gained in undergoing both a SOC 2 examination and achieving ISO 27001 certification, especially as you can do both at the same time.

Ugh, it’s happened—during your SOC examination, your service auditor identified a deviation from your intended process, and that resulted in a testing exception. Given that your customers (and other stakeholders) are relying on your SOC report for reassurance regarding the effectiveness of your controls, you need to address that deviation—but how?

As the need for SOC 2 examinations continues to grow domestically as well as internationally, many organizations now either find themselves taking on more and more assessments or trying to appease a client base that requires a SOC 2 examination when the typical product or platform approach may not apply. When these situations crop up, we are seeing more adoption of what’s known as an enterprise services SOC 2 examination.

When pursuing a SOC 2 examination, a popular first step for many organizations—particularly those just stepping into the world of compliance for the first time—is the SOC 2 readiness assessment. But for those first-timers who don’t know what to expect from such a process, it might help to have a primer.

Internal Audit (IA) and Governance, Risk, and Compliance (GRC) professionals are often charged with reading SOC reports from service providers to gain an understanding of each vendor’s controls, but many may not know how you can also use these reports to also enhance, mature, and drive their own audit and governance functions.

Though the timeline of a completed report varies greatly based on numerous factors within your organization, a SOC 1 examination generally always moves through the same three phases of planning and preparation, fieldwork, and reporting stages.