You’re a small business of 20 or so people. It’s hard enough to keep up with customer demands, and to add to the work load you seem to get a new “security” questionnaire from customers every week. These questionnaires are time-consuming to complete, and none of them are the same. Many of the requests indicate they will accept a “SOC” report, but you feel like those are only for large companies with large budgets and teams.
Or perhaps you finally get a bite at that “big fish,” the large potential customer that would make a significant impact and really put your business “on the map.” As you read the contract, your enthusiasm dims when you see a requirement to submit a “SOC” report to qualify for the work.
Do either of these scenarios sound familiar? In the first instance, you may resign yourself to filling out never-ending customer questionnaires. In the second, you may assume you won’t be able to go after your dream customer after all.
Neither of those outcomes is ideal or necessary, even for smaller companies. If you’ve considered having a SOC report created for your business but think that you can’t because they are only for large entities, think again. Your small business can produce one by following some key best practices — resulting in the same benefits enjoyed by many larger competitors.
At a high level, SOC 1 and SOC 2 reports offer assurance regarding your service organization’s internal controls and data security. They also help you establish and maintain credibility with your customers, investors and regulators. SOC reports can provide many benefits to a service organization. They:
As a small organization, you are right to assume you will face some challenges in completing a SOC report. This is because your organization structure may be less formal; a smaller staff size may make segregation of duties more difficult; you may have informal control documentation; and you may have less resources to maintain a formal reporting system around SOC activities and controls moving forward.
In spite of these challenges, your small business can successfully navigate the SOC landscape, meeting the control requirements and issuing a report that satisfies SOC criteria and customers. The following key activities and best practices can help:
SOC reports at their core are about performing control activities to meet specified criteria, performing those activities consistently throughout the year and proving you’ve done so via appropriate documentation. One key strategy is to automate as many processes as possible.
For example, using an HR software tool can help insure employee onboarding, evaluations and training activities are completed timely and documented appropriately. Using an automated “ticketing” system allows for documenting when key activities must be performed, who is involved in performing them and the results. For example, you can input into the system the activity to conduct an annual risk assessment, along with the necessary team, resulting documents and conclusions.
Similar to automating manual tasks via software, using other service organizations to handle aspects of your business can help simplify the requirements for a SOC report (these are referred to as “subservice organizations”).
For example, using a managed IT services provider to maintain the company’s network and computers minimizes the activities your business must perform. Another common example is using a platform such as Microsoft Azure or Amazon Web Services to host your IT infrastructure. Controls surrounding the IT infrastructure, such as physical security, now become the responsibility of the subservice organization, and not your small business.
Most organizations, even small ones, have preexisting groups or teams that meet at regular intervals. For example, an executive team may meet monthly to discuss key business metrics, policies and procedures; an operations team may meet to discuss customer matters and service delivery issues; or an IT team may meet to discuss technology matters and risks. The key is to take these existing meetings and systematize them. That is, create standard agendas that address SOC-relevant criteria related to each particular team’s purpose.
For example, a standard item on the executive team agenda could be risk and company objectives; the operations team could have items that address whether control activities (procedures) require updates or whether monitoring activities are effective; while the IT team could address infrastructure changes and security events. The key is to make these standing agenda items using a formalized agenda and document the discussions and results. That documentation can then be used as evidence to support an auditor’s testing for a SOC report.
Possibly most important for a smaller company pursuing a SOC report is the commitment and support from senior management/ownership. Without this, it won’t be possible to make it through the SOC process. Having this support, however, can actually serve as evidence that supports an effective control environment, which is one area a SOC report will address. The hardest part of completing your first SOC report is the process of creating each required component step by step, which does take time and effort.
Once the initial report is drafted and required supporting documentation identified, SOC becomes much more of a maintenance process, and ideally becomes part of an organization’s operating culture and DNA. Getting there requires a firm commitment that can only be made by the most senior members of your organization.
Pursuing a SOC report for a smaller entity can seem like a daunting task. With a strong commitment from top management/ownership, automating various tasks, using subservice organizations and creating standard agendas for existing meetings, your smaller company can reap all of the benefits a SOC report offers to even the largest of your competitors.
Contact Steve Guarini at sguarini@cohencpa.com or a member of your service team to discuss this topic further.
Cohen & Company is not rendering legal, accounting or other professional advice. Information contained in this post is considered accurate as of the date of publishing. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts, circumstances and current law.