3 Common SOC Exam Issues Facing Technology CompaniesOctober 11, 2016
If you’re a tech company that uses a 3rd party cloud provider – you may still need your own SOC examination (even if your 3rd party provider has one).
As a technology company that provides critical out-sourced services to your customers, you will inevitably be approached by your customers (or prospects) for your SOC examination report. Although all SOC reports (SOC 1, SOC 2 or SOC 3) address controls over information technology security and operations, certain components of these examinations take on an added focus for technology service companies. When I work with technology companies that are going through the SOC examination process for the first time, I typically encounter the following issues that, if not remediated, will negatively impact the auditor’s opinion of their controls.
- Risk Assessment- I find that technology companies often fail to formalize their risk assessment process. An entity’s risk assessment is its identification, analysis, and management of risks relevant to its internal operations and to user organizations (i.e. its customers). As part of the risk assessment, each risk is documented and assigned a weighted score. The higher the score, the more prevalent the risk. The higher risk items are prioritized with appropriate controls implemented and monitored to reduce the risk to an acceptable level. This is a continuous process; organizations need to revisit and revise upon changes in business operations, technologies or the regulatory environment.
- System Development Activities- As more and more technology companies adopt agile development methodologies such as Scrum, controls throughout the system development process become blurred versus the control points typically resident in a more traditional “Waterfall” approach. Although there are numerous benefits and efficiencies to be derived under an agile approach – we often see key control points minimized for the sake of delivering product features in two-week “sprints”.
- Data Classification- Finally, it is imperative for technology companies that may host, manage, store or otherwise have access to customer data, to have a formalized Data Classification Policy. Data Classification reflects the identification and “tiering” of different types of data relative to its confidentiality, security, integrity or availability. If organizations don’t know what data they have, it is difficult to implement an approach to secure this data.
Questions on SOC Examination Issues? Reach out to our Information Technology Experts today.