System and Organization Controls (SOC) Resources
Delivering the greatest value possible to our clients.
If you are a service organization undergoing a SOC audit, you can use the resources below to help perform and document key controls required by the audit. We recommend implementing these controls if this is your first SOC audit, and utilizing these templates to keep track of which controls have been implemented and what could be improved upon.
For the purpose of a System and Organization Controls (SOC) report, risk assessments can be performed in many different ways. However, there are key elements that service auditors will always look for during a SOC engagement, including the following:
Specifies Suitable Objectives
The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
Identifies and Analyzes Risks
The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
Assesses Fraud Risk
The organization considers the potential for fraud in assessing risks to the achievement of objectives.
Identifies and Analyzes Significant Change
The organization identifies and assesses changes that could significantly impact the system of internal control.
Another important consideration is the use of a framework to guide the performance of risk assessments. A very common framework that is widely used is NIST’s Guide for Conducting Risk Assessments.
FREE Management Review Memo Sheet for SSAE 18 or SOC Reports
Use the Management’s Review of System Organization Controls (SOC) Report template to help you document your review of the SOC reports of your key vendors. This template will guide you to the most important sections of the SOC report.
FREE Vendor Management Policy Guidelines
The Vendor Management Policy Guidelines serve as a template that service organizations can use to provide written guidelines for the procurement of third-party services in accordance with their company’s mission, obligations, and ongoing administration of company functions.
FREE SDLC and Change Management Policy Checklist
The Systems Development Life Cycle (SDLC) and Change Management Policy checklist is designed to provide an orderly process in which changes to your company’s IT infrastructure are requested and approved prior to the installation or implementation of the change. This policy should be periodically reviewed and updated, where necessary, to reflect changes in the technology environment.