System and Organization Controls (SOC) Resources

Delivering the greatest value possible to our clients.

If you are a service organization undergoing a SOC audit, you can use the resources below to help perform and document key controls required by the audit. We recommend implementing these controls if this is your first SOC audit, and utilizing these templates to keep track of which controls have been implemented and what could be improved upon.

For the purpose of a System and Organization Controls (SOC) report, risk assessments can be performed in many different ways. However, there are key elements that service auditors will always look for during a SOC engagement, including the following:

Specifies Suitable Objectives

The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

Identifies and Analyzes Risks

The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

Assesses Fraud Risk

The organization considers the potential for fraud in assessing risks to the achievement of objectives.

Identifies and Analyzes Significant Change

The organization identifies and assesses changes that could significantly impact the system of internal control.

Another important consideration is the use of a framework to guide the performance of risk assessments. A very common framework that is widely used is NIST’s Guide for Conducting Risk Assessments.

FREE Management Review Memo Sheet for SSAE 18 or SOC Reports

Use the Management’s Review of System Organization Controls (SOC) Report template to help you document your review of the SOC reports of your key vendors. This template will guide you to the most important sections of the SOC report.

FREE Vendor Management Policy Guidelines

The Vendor Management Policy Guidelines serve as a template that service organizations can use to provide written guidelines for the procurement of third-party services in accordance with their company’s mission, obligations, and ongoing administration of company functions.

FREE SDLC and Change Management Policy Checklist

The Systems Development Life Cycle (SDLC) and Change Management Policy checklist is designed to provide an orderly process in which changes to your company’s IT infrastructure are requested and approved prior to the installation or implementation of the change. This policy should be periodically reviewed and updated, where necessary, to reflect changes in the technology environment.

FREE Code of Business Conduct Example

This Code of Business Example is intended to help service organizations get an idea of what key controls are related to the code of business conduct and its formal policies and procedures will be implemented.

Memo to Document Management’s Review of Periodic Controls That Did Not Operate During the PeriodFREE Memo to Document Management’s Review of Periodic Controls That Did Not Operate During the Period

Control Self Assessment templateFREE Control Self Assessment Template

Press Release Template

Bridge Letter Template

Bridge Letter Template

Vulnerability Remediation Plan Template


Need help navigating SOC audits, employee benefit audits, financial statement audits, or outsourcing your internal audits? Let’s chat!
1 Step 1
FormCraft - WordPress form builder