This is the fourth post in a 4-part series on SOC reporting basics within the cryptocurrency ecosystem. Part 1 provides basic introduction to SOC reporting. Part 2 breaks down the various types of SOC reports. Part 3 discusses SOC reporting in the cryptocurrency space. Part 4 is a simple guide for cryptocurrency firms interested in getting started.
If you’ve been keeping up with this series, you now understand what a SOC report is, the different types, and how SOC reporting fits into the crypto ecosystem. This final post in the SOC reporting series serves as a basic guide to getting started.
Step 1: Determine if SOC reporting is right for your organization
The SOC framework was designed to assess systems and controls pertaining to financial reporting and Trust Service Principles within service organizations. Within the crypto ecosystem, such organizations include (but are not limited to), exchanges, consultants, mining pool operators, and publicly traded firms with crypto operations.
When determining if SOC reporting is applicable to your organization (assuming you understand what SOC reports are, how they’re created, and what they’re used for) some key questions to ask are:
- Do the financial controls and reporting mechanism in place at my organization have an effect on the financials of my organization’s customers/users?
- Have customers/users asked for more transparency and detail around my organization’s systems and controls designed to protect things such as their security and privacy?
- What benefit does my organization (as well as our partners) stand to gain from third party assurance of our operational effectiveness?
If yes, then SOC reporting may be something to consider. Fundamentally, SOC reports are about assurance and trust between your organization and its associated stakeholders. Although a SOC engagement will ultimately show up as a cost on your balance sheet, many organizations can view it as an overall value add.
Step 2: Identify which SOC report(s) are applicable to your organization
If you need a refresher on the different types of SOC reports, check out part 2.
Determining which report(s) are applicable to your organization depends on the service you provide. Additionally, this decision is influenced by the degree to which your customers/users need assurance of the operational effectiveness of your systems and controls .
SOC 1 reports focus on financial controls while SOC 2 reports focus on controls largely around security. Many organizations need both reports but not always. This also holds true for Type 1 and Type 2 reports, which assess the systems and controls, respectively, at a given point in time or over a specific period of time.
If you choose to move forward with a SOC audit, the firm(s) with which you engage will be able to provide guidance as to which reports are best for your organization. Still, it’s always good to do your homework beforehand and have a sense of what your organization needs.
Step 3: Understand your budget
As is the case with any business decision, budget is a key consideration. The overall budget will be influenced by factors such as:
- The types and total number of reports your organization needs
- Organization size and complexity
- Auditor(s)
These factors can be mostly boiled down to time and specialty. The more specialized an accounting firm is within your organization’s particular niche, the more they’ll charge (generally speaking). Similarly, the larger and more complex your organization is, in addition to the number of reports you need, will generally translate to more billable hours charged by the auditing firm.
When shopping SOC proposals, be sure to get a detailed breakdown of price and scope to help you compare different options.
Step 4: Select an auditor
There are plenty of licensed CPA firms capable of providing SOC services. Outside of cost, determining which one is right for your organization is largely a function of the firm’s track record and specialty.
Does this firm have a proven track record of conducting SOC examinations for organizations like yours? Do they have a cryptocurrency and/0r blockchain practice?
Doing due diligence up front will pay off. Since SOC reports are a third party’s attestation to the effectiveness of your organization’s controls and systems, reports from well-recognized and credible firms carry more weight. The firm(s) with which you partner ultimately become a reflection of your organization’s reputation.
To check if a CPA is in good standing with the AICPA, you can input their credentials to CPAverify.org.
Step 5: Prepare for a SOC audit
Once you’ve selected a licensed CPA firm to conduct your SOC examination, you’ll need to prepare for the audit. How these audits are conducted can differ from firm to firm (and the good ones will smoothly guide you through the process), but, generally, here is what you can expect.
A kickoff and/or scoping phase in which the auditor meets with your organization’s leadership to explain the overall process, timelines, what to expect, who is involved, etc.
Then, the auditor will request information from your organization as it pertains to the audit. In this gathering and discovery phase, the auditor begins to align your organizational information with the AICPA-defined SOC standards .
Next is where the bulk of the work takes place. You will engage regularly with the auditors as they investigate various aspects of your organization’s controls and identify gaps. Moreover, you will work with the auditor to improve the controls satisfactorily (and/or to come up with a plan to do so). This work can be completed either in-person or remotely.
Finally, in the last phase, the auditor works on drafting the final report(s). Here you can expect less engagement with the auditor, though you’ll likely have regular status update meetings and may be asked to respond to 1-off requests.
Finishing Up
This 4-part series just scratches the surface of SOC reporting. Hopefully it equips you with the information you need to determine in this is something that’s right for you and your organization. If you enjoyed the series, have gone through SOC reporting, and/or have any feedback we’d love to hear from you!
