There are a few areas of confusion when it comes to small business SOC compliance. Many smaller organizations still have sufficient internal controls, and the documentation and questions required by SOC compliance can still be provided and answered. However, the size of the organization can be very impactful in two areas especially.
The requirements for SOC compliance are generalized for businesses of all sizes of both revenue and employee count, which causes some of the requirements’ wording to raise some questions for smaller and less complex businesses. Many small businesses have a sufficient internal control environment that can meet the general requirements for SOC compliance. However, two areas in particular, are stumbling points for some small businesses.
The first requirement to raise questions for smaller organizations is often section CC1.2 which states, “The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.” Many small businesses do not have a formal board of directors, and that raises the questions of what to do if your organization does not have one and whether your organization can still be SOC compliant without one.
The AICPA has addressed this question and the answer is yes, organizations without formal boards of directors can still complete a successful SOC Audit. If an organization does not have a board of directors, they are required to have controls and oversight to achieve the point of the criteria. The definition of a board of directors is “individuals with responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity”, which can be covered by partners or owners of smaller organizations.
The requirement is meant to apply to a group or individual with a direct stake or ownership in the organization and personal investment in the accountability and security of their organization. This is why an owner or group of business partners applies to smaller organizations.
The second requirement of SOC compliance that causes questions for small businesses is the segregation of duties. The division of responsibilities is crucial to several SOC requirements and in general, is a major part of having a secure control environment. The described level of segregation of duties is often hard to make happen as a smaller organization, but a small business does not need to worry about hiring extra employees to reach it. Secondary controls can be properly implemented to achieve a compliant control environment with fewer employees.
To get started on your small business SOC Audit or to get any questions answered, contact us today!