> Risk > SOC Compliance and Service Providers
SOC Compliance and Service Providers
I always read advice and guidance from Protiviti, especially when Jim DeLoach is involved in it. The firm is a prolific source and they often have good advice – but not always.
A couple of weeks ago, they published Preparing for Annual SOX Compliance Amid COVID-19: Outsourced Processes and Use of Third-Party Providers Remain Relevant to ICFR.
First, let me reset your expectations. Their article and this post have next to nothing to do with COVID-19. They are using that as a hook; the only point they make relative to COVID is that the SOC-1 reports might be delayed.
Protiviti has been pushing this article on social media, so I am going to share my thoughts before people start down the wrong path.
They outline and discuss these steps:
- Inventory your providers
- Obtain SOC reports
- Map controls from the SOC report to management’s processes
- Evaluate deficiencies identified in the SOC report and assess potential impact to your business
- Obtain bridge letters
- Determine impacts from the pandemic
- Take appropriate actions
Now why is this the wrong path?
It is not top-down and risk-based. It is fundamentally bottom-up.
Here’s a better series of steps:
- When you perform your SOX scoping, identify where you are…
