The service organization, not the service auditor, is responsible for describing the
controls and control objectives disclosed in the SOC report. While there are no rules on
the controls that should be included in a SOC, the quality of the audit report is often dependent on the appropriateness of the control objectives and the testing procedures.
The service auditor may provide guidance and recommendations.
A SOC typically covers the following processes: control environment, risk assessment
processes, control activities, information and communication, and monitoring processes.
The service auditor typically evaluates and tests the following type of controls:
application development, configuration management, change management,
telecommunication network, logical access, physical access, data retention and
transmission, application, and input and output process controls.
The cost of a SOC depends on the scope of the audit, the size of your organization, the
complexity of the processing, and the maturity of the controls. First-time SOC audits are
more time-intensive and, therefore, typically cost more. Depending on the audit scope, a
SOC 1 Type 2 can cost as little as $40,000 up to several hundred thousand US dollars
for highly complex audits. You get what you pay for, and keep in mind that a cookie-cut
SOC can damage rather than enhance the organization’s credibility.
SOC is a voluntary compliance audit typically undertaken by outsourced service
organizations that impact the control environment of their customers. Examples of
service organizations include insurance and medical claims processors, trust
companies, hosted data centers, application service providers (ASPs), managed
security providers, credit processing organizations, and clearinghouses.
Each SOC has a particular role and purpose. The information below provides some
basic guidelines, but it’s important to discuss this with a knowledgeable service auditor
so that your needs match the intent of the SOC.