EKS&H header image for audit and assurance
Audit and Assurance

SOC Readiness Assessment

The SOC readiness assessment has grown in importance since the Audit Standards Board (ASB) replaced SAS 70 with the SSAE 16 in 2011 and the AICPA introduced the SOC 2 reports over Security, Availability, Processing Integrity, Confidentiality, and Privacy. This new set of standards complicates compliance reporting on controls at service organizations and increases the responsibilities of the service organization being audited.

Prior to filing Service Organization Control Reports (SOC 1, 2, or 3), we offer a critically valuable tool that assists you in identifying high-risk areas and compliance issues that may have emerged since your last SAS 70 audit. We will also help you assess all control activities that are reported on during the SOC 1, 2, or 3 audits.

With the SOC readiness assessment, we're able to help prepare you for an audit engagement and reduce or eliminate the possibility of a qualified opinion or reporting exception.

Concluding this review, we provide you with a report that identifies:
  • Financial and operational reporting risks that are not sufficiently mitigated
  • Recommendations for improving your control processes
  • A favorable impact of IT application controls, if applicable
  • An action plan that identifies procedures, controls, and documentation for management's consideration prior to a SOC audit

When to Have a SOC Readiness Assessment

You should consider engaging in a SOC readiness assessment if your service organization:
  • Has not recently completed a SOC audit
  • Would benefit from an internal report identifying control deficiencies
  • Is looking for a cost-effective audit preparedness assessment

Once the assessment is complete, we can also assist with the SOC audit. Please see our SOC audit engagements section to learn more about the services we offer in this area.

Should My Organization's Services Be Audited?

Angela Appleby

If your organization performs services for clients or if you are responding to client questionnaires on your IT policies or other processes, then you may be considered a "service organization" and may benefit from an independent review of security, confidentiality, privacy, etc. controls. Read more »