If you currently have a SOC examination performed, how often do you or your auditors review each control to make sure they are up to date and mitigate the risk as intended?
If this is not part of your annual process, it should be. Not only can this help the auditors have a better understanding of the controls, but it can help identify opportunities for new controls, system controls, determine proper control ownership and potentially centralize controls within a department—all of which will help make the SOC examination process run smoother for everyone involved. This exercise might appear to add time to the overall SOC process, but this will help optimize your control set and create efficiencies that over time should make the overall time investment less for your organization.
When analyzing your control activities, think about what risks the control is designed to mitigate. The control will be performed either manually or systematically to prevent that risk or detect instances of non-conformity. This will help identify what controls are mitigating the key risks associated with the service you are performing for your clients and can help reduce and streamline the controls included within the scope of the SOC examination. It is helpful to assign a value to each control based on the risk the control is designed to mitigate, which will identify what the key controls actually are.
As systems keep evolving, manual detective controls can potentially be replaced with systematic preventative controls if the system controls are properly designed and are mitigating the majority of the risk. Taking advantage of system controls is one aspect of control optimization to drive efficiencies in your SOC examination process. This analysis should be done in conjunction with the risk identification process when assessing the controls that the risks are designed to mitigate. While analyzing the latter, consider where there are multiple controls to mitigate the same risk, as this is an opportunity to analyze the strength of those controls. Also, question whether all these controls are necessary to mitigate the associated risk. Prior to removing any controls, you must consider if the control objective, in regards to a SOC 1, or the Trust Services Criteria (TSC), in regards to a SOC 2, can be satisfied by the remaining controls under that control objective or TSC.
Control optimization should help reduce the amount of time that control owners at your organization spend pulling documentation for outdated manual controls and reduce the time the auditors spend testing the control and asking follow up questions. Another way to drive more efficiencies for your organization would be to appoint one or two employees who will be responsible for ensuring all documentation requested by your auditors is provided completely and timely. This is especially helpful when there are multiple departments or control owners involved. It is also beneficial to ensure that the documentation to support your control set is easily accessible as well. These simple concepts will help streamline the process and provide fewer interruptions to your day-to-day operations during the SOC examination process.
For more information on SOC efficiencies and control optimization or how Schneider Downs can assist in strengthening controls or identifying efficiencies please reach out to [email protected]