PREPARING FOR YOUR INITIAL SOC 1SM AUDIT

withum.comwithum.com

PREPARING FOR YOUR INITIAL SOC 1SM

AUDIT

ACCOUNTING & AUDIT • TAX • CONSULTING • CORPORATE GOVERNANCE • RISK MANAGEMENT

PREPARING FOR YOUR INITIAL SOC 1SM AUDIT

withum.comwithum.comNew Jersey. New York. Pennsylvania. Maryland. Florida. Colorado

With regard to an initial SOC 1SM Type II Audit, our solution to your needs will typically consist of two distinct parts. Part 1 will be a consulting engagement comprised of a Readiness Assessment and Part 2 will be the SOC 1SM Type II Audit.

READINESS ASSESSMENT

The goal of the Readiness Assessment is to assist your Company in the documentation of the existing processes, control objectives and the underlying control activities and in performing gap analysis. This resulting documentation, to be adopted by Management, will provide a basis for the SOC 1SM Audit to be performed by WithumSmith+Brown.

Our approach consists of a combination of planning and preparation services that is designed to assist your company successfully prepare for its initial SOC 1SM audit and to measure the readiness of your organization to undergo such a SOC 1SM audit.

Our consulting services are designed to increase the probability of a successful SOC audit outcome.

Our Readiness Assessment consulting services are designed to be scalable and are customized to your needs and to your available resources. As a key component of our Readiness Assessment consulting engagement we typically assist management in identifying the control objectives that are most appropriate for your in-scope services. And most relevant to your customer base. We will also assist management in identifying and documenting Business Process and Information Technology Control Activities which support the in-scope Control Objectives. Additionally, during this consulting engagement we will assist management in identifying and documenting User Control Considerations to be included in management’s Description of the System. We will also assist management in the identification of any compliance gaps as well as corrective action plans for the same prior to the commencement of the initial audit period.

YOUR SERVICE ORGANIZATION CONTROLS READINESS ASSESSMENT PROCESS

withum.com

PREPARING FOR YOUR INITIAL SOC 1SM AUDIT

withum.com

Withum will perform your SOC 1SM Type II engagement in accordance with AICPA standards based on Statement on Standards for Attestation Engagements (SSAE) #16. The Audit engagement is comprised of five phases as follows:

PLAN TO PUT YOUR COMPANY IN A POSITION OF STRENGTH

PHASE 1 - PROJECT PLANNINGIn compliance with Auditing Standards, Withum will obtain sufficient understanding of your internal controls to plan the examination and determine the nature, timing, and extent of tests to be performed. Project planning will be followed by a project kick-off meeting with key members of your team. Thereafter, walkthroughs of all key in-scope processes will be performed to obtain an understanding of the Control Activities. In this phase, Withum will also prepare test plans to test the operating effectiveness of control activities supporting each of the control objectives as well as review the support for the required Management’s Assertion.

PHASE 2 - TESTING AND DOCUMENTATIONWithum’s test procedures depend on the nature, timing and extent of the specific control objectives being tested and the description of the individual control activities.

The objective of our test procedures is to enable us to report on three areas:

Fairness of the Presentation of your Company’s Description of Controls - This will depend largely on the preparation of the description of controls, the control objectives being addressed and the completeness and accuracy of the controls. Withum then compares its understanding of the services that your organization provides to your customers with representations by Company management in its description of controls to determine whether your description is fairly stated.

Design Effectiveness of Controls to Achieve Specified Control Objectives - To determine suitability of design, we rely on our knowledge of best business practices, our knowledge of business and IT control standards and on our industry experience in evaluating the design of controls.

Operating Effectiveness of Control Activities to Achieve Specified Control Objectives - Withum uses custom tailored audit programs to perform detailed compliance tests of Business Process and IT Controls.

YOUR SERVICE ORGANIZATION CONTROLS AUDIT PROCESS

PREPARING FOR YOUR INITIAL SOC 1SM AUDIT

withum.com

We can further customize our test plan of operating effectiveness to conduct one or two waves of testing. Typically we recommend two waves of testing to increase the probability of a successful audit outcome; the initial wave to be conducted at an interim date and the second wave to be conducted at the conclusion of the audit period.

In addition to the above, Withum also performs tests of relevant aspects of your organization’s control environment, risk assessment, and monitoring related to the services which you provide to your customers and assess their effectiveness in establishing, enhancing, or mitigating the effectiveness of specific controls.

PLAN TO PUT YOUR COMPANY IN A POSITION OF STRENGTH

PHASE 3 - AUDIT DOCUMENTATION REVIEW Audit documentation is reviewed by senior members of the engagement team who function at a level higher than the person who prepared the work paper. The purpose of these reviews is to ensure that the data gathering and analysis have been performed properly in accordance with the audit plan, and firm and professional standards. In addition, prior to the issuance of draft reports, all critical work papers and significant areas will be reviewed by the Engagement Partner to ensure that the audit conclusions, and recommendations are appropriate.

PHASE 4 - REPORTINGA draft report will be distributed to and discussed with Company Management prior to issuance of the final report. Your management comments will be thoroughly considered in tandem with audit work performed and other documentation obtained during the engagement.

PHASE 5 - AUDIT COMMITTEE/BOARD PRESENTATIONIn this phase, the final report will be presented to and discussed with Senior Management and your Audit Committee and/or the full Board of Directors.

YOUR SERVICE ORGANIZATION CONTROLS AUDIT PROCESS

PREPARING FOR YOUR INITIAL SOC 1SM AUDIT

withum.com

Withum has devoted considerable resources to develop our dedicated SOC (Service Organization Controls) Practice Group. Our team has extensive experience in internal control consulting and auditing of organizations and systems in a broad range of industries.

TONY CHAPMAN, CPA, CITP, PARTNER, PRACTICE LEADER, SOC SERVICES

Tony Chapman CPA CITP, the SOC Practice Leader for our Firm, has been designated as one of the 32 SOC specialists in the country by the Oversight Task Force of the AICPA Peer Review Board.

This Practice Group includes four AICPA designated SOC specialists, more than any other firm in the country. Our Group combines Internal Control and Information Technology consulting expertise with Business Process Internal Controls Assessment and Auditing expertise to offer a single source solution to the growing number of service organizations who need to obtain Service Organization Controls reports on an on-going basis.

We provide service audit and consulting services to organizations on a regional, national and international basis. Our clients include service providers operating in many industries including Banking and Finance, Technology, Communications, Healthcare, Payroll, third party administration, and Government Agency Program Administration.

Our service approach to SOC engagements is unique and offers clients several distinct benefits. We have extensive experience with the challenges faced by organizations about to undergo a Service Organization Controls Audit. We are very familiar with the AICPA standards and will provide guidance from planning through final report issuance.

Our unique approach:

• reduces client uncertainty• significantly reduces the stress on the organization’s resources and • provides better and more consistent outcomes.

Our approach stresses communication and provides a high level of client satisfaction.

We have the training, expertise, experience and capacity to conduct your engagement in a manner that eliminates surprises and will produce high value deliverables on time and on budget.

Email. tchapman@withum.com | Phone. 609.520.1188 | Mobile. 908.334.7322

OUR EXPERIENCE WITH SERVICE ORGANIZATION CONTROLS AUDITS