What to Know When Aproaching a SOC 2 Audit
When you’ve scheduled SOC 2 testing, you are well on your way to demonstrating the trustworthiness of your company. However, scheduling your on-site test is not the end of your preparation. There are a number of additional steps along the way. Not sure what your timeline is or what to expect? Read on to learn more about each stage of the process.
See our foundational guide on SOC 2 Compliance.
How Long Does It Take to Get SOC 2 Compliance?
The general timeline is 12 months for SOC 2 compliance for first-time certification. The readiness, remediation, and document collection phases usually require more time if your organization has not approached SOC auditing before.
The process tends to be faster for organizations that have already gone through SOC 2 in the past or are simply renewing their annual SOC 2 certification. Because SOC 2 certification is only valid for 12 months, compliance and attestation really becomes an ongoing process for service organizations that are committed to upholding the Trust Services Criteria.
What Is the Process to Prepare for a SOC 2 Audit?
The SOC 2 compliance process starts long before the audit date. Security and compliance are meant to be ongoing efforts. They begin with analyzing the risk environment and identifying gaps, transitions into remediation and readiness testing, before auditing, certifying and starting over again the next year. Here’s a closer look at each phase.
8 Clear Steps for SOC 2 Audit Preparation
Defining the Reporting Period | SOC 2 Step 1
The AICPA’s AT Section 801 states that a reporting period shorter than six months is not likely to be useful to user organizations and their auditors when performing SOC 2 audits. Schedule your SOC 2 audit, whether Type 1 or II, at regular 6 to 12-month intervals—to ensure regular and thorough compliance.
Quantifying Risk | SOC 2 Step 2
The preparation phase of SOC 2 compliance begins with quantifying the business revenue that is at risk. There are a number of methodologies that can be used to accurately quantify your financial risk. During the kickoff, you and your audit partner will also establish how critical your preparation tasks are and set up expectations for the rest of your preparation.
Defining the Scope | SOC 2 Step 3
Depending on the reason for the SOC 2 audit, the scope may cover the controls in one, or all five, of the TSCs. Additionally, the scope may be wider or narrower in relation to what is analyzed.
Consider any legal, contractual, or other regulatory obligations you may have to help identify specific TSC requirements. For example, in the case of healthcare organizations, data privacy is crucial, so they may focus on privacy. In general, security and availability are the most commonly tested TSCs.
Building a Strong Compliance Team | SOC 2 Step 4
SOC 2 certification is a marathon, not a sprint. The process can take several months. However, it will go more smoothly and efficiently if you identify the necessary role and the people who will fill them. Essential SOC 2 players include:
- Executive Sponsor – This is the person who should be able to tell those in the C-Suite why SOC 2 certification is right for your organization. They will be able to relate certification to ongoing security concerns, future revenue, risk management and more. In a complex organization, this sponsor will need to do extensive research to be sure they thoroughly understand the undertaking.
- Project Manager – The project manager will be the person who coordinates all SOC 2 activities and team members. They will gather information and documents, schedule resources, set deadlines and milestone and help ensure that everyone has what they need. A project manager doesn’t need to have compliance experience or even fully understand SOC 2’s requirements. What they do need is an understanding of team management and the skills to keep everything moving. Project management works best when the person in that role is left free to organize. Material participation in the process should be delegated to someone else to leave your project manager free to manage.
- Primary Author – The person in this role will need technical writing experience and extensive communication skills. They will need to have a firm understanding of business and operations, as well, so that they can effectively interview members of other teams and be able to clearly report what they are doing.
- IT and Security Personnel – The people on this team will have a great deal of material that needs to be created and proven during the audit process. Much of the work will involve demonstrating that your organization can detect and effectively respond to security issues. Make sure that this team has both personnel and financial resources needed for the job. It is likely that you will need to buy additional security tools after your first audit. You may also need to change how people physically access your properties and your data center. This, in turn, may result in the need to hire additional personnel. Make sure that there is enough staff available to handle the workload associated with SOC 2 certification.
- Legal Personnel – Your legal team should be involved in the SOC 2 process early. Their input will be invaluable when you are working with third party vendors and business partners to ensure that all contracts are up to date. They will also be helpful as you continually update your documentation throughout the SOC 2 project.
- External Consultants – If this is the first time your organization has undergone SOC certification, or if you have had significant changes since your last experience, external help can be a lifesaver. Organizations like I.S. Partners can advise you throughout the process to ensure your success. Consultants will have worked extensively with a range of organizations, and will have the understanding of what you’ll need to become SOC 2 compliant. We have deep understanding of the TSCs, and can help you understand how they apply to your organization. Additionally, if you are bound by other compliance requirements like HIPAA and PCI, we can ensure that they are properly incorporated into your organization’s SOC 2.
Readiness Assessment | SOC 2 Step 5
This important exercise helps IT teams understand which important elements of the control environment require attention and remediation before performing the official audit. Even with all the other preparatory steps locked into place, conducting readiness testing is crucial for ensuring the service organization’s controls work as intended. It is not at all unusual for various inconsistencies, deficiencies and other problems to surface during a SOC 2 readiness assessment.
Readiness testing can also help narrow the scope down to the exact business processes and systems to be included in the audit. This is key to saving valuable time and resources.
There really is no official industry standard when it comes to SOC readiness testing methods, but there are some core elements, points and ideas that may help get service organizations like your own moving in the right direction, like the following:
- Make sure SOC is right for your business.
- Choose and meeting with a service auditor to discuss issues and concerns for an upcoming audit.
- Select SOC 2 audit elements, such as the system in question and the TSC, or TSCs, to include in the audit.
- List management commitments.
- Evaluate controls and gaps to make sure they are in place, correctly designed and operating effectively.
- Remediate discovered gaps regarding controls, policies and procedures, and processes.
- Develop system description that reflect elements of the system, as well as criteria, controls and assertions.
- Run and maintain processes to build an effective audit period.
- Prepare to run your official SOC 2 audit with last-minute walk-throughs.
Identifying Gaps | SOC 2 Step 6
Gap analysis allows you to verify that all key controls are documented and in place. This process requires close review of your chosen system against the criteria selected. A gap analysis serves to detect issues before beginning an audit. It gives your organization the opportunity to make corrections, so be sure to leave plenty of time for remediation. During gap analysis, an independent auditor can help assess your current environment and how it compares to SOC 2 requirements:
- Processing integrity
Common issues often identified in this phase include:
- A need for core policies that define how your organization protects internal and customer data.
- A need for consistent employee background checks.
- A need to adjust or create employment agreements that emphasize security needs.
- A need for a strong password policy that meets the latest best practice recommendations.
The gap analysis stage typically takes between two to four weeks. These days, all or nearly all SOC fieldwork and auditing procedures can be performed remotely without on-site appointments. At the end of this analysis, you and your auditor will have identified the controls that need improvement in order to achieve SOC certification.
Remediation | SOC 2 Step 7
Once the gap analysis and readiness assessment (also known as a SOC 2 self assessment) is completed, you’ll start your first remediation period. This can last anywhere from two to nine months. The length of remediation will depend on what you discover during the gap analysis and what resources are available to seal up the gaps.
This is the part of the process where teams will feel the impact of the changes that SOC 2 requires. It is not uncommon to make new hires to meet requirements. You may also change your software development process to align with security needs.
After this remediation period, another assessment will be performed. There may also be a second remediation period based on your auditor’s findings at this time.
Gathering Additional Documentation | SOC 2 Step 8
Documentation is essential to achieving and maintaining complete and consistent SOC 2 compliance. Examples of pertinent documentation include organizational charts, change management information, asset inventories, and on-boarding and off-boarding processes.
In preparation for the upcoming SOC audit, you’ll receive a list of all of the documentation you will be expected to deliver as part of the process.
This list will also highlight what you are currently missing. Most enterprises go into the process with a number of gaps. Giving yourself time to address them will ensure a higher level of success. Some of the most common gaps include:
- A full asset inventory, as well as the process that keeps your inventory updated and accurate.
- Human resources documentation that includes procedures for evaluating employee performance, as well as a meta-document that outlines how and when these evaluations are distributed to the applicable managers.
- Controls and checklists for employee onboarding.
- A formal process for employee termination or change from one position in the company to another.
- Core policies, including standard operating procedures and an information security policy.
- Key security controls for your customer data.
Your request list may also include items that do not apply to your specific business. Explain to your auditor which items don’t belong and the reasons why. In some cases, your auditor may not agree with you and will explain why certain items that are not currently in your procedures are important.
This stage involves a large quantity of documentation. Make sure you have someone tasked with coordinating it all so that every relevant department knows what is expected of them and when. All of the information should be pulled together in a central repository so that it is easily available to your auditor.
Related article: Are Pen Tests & Vulnerability Scans Needed for SOC 2 Report Compliance?
The Importance of Preparation for SOC 2 Audits
Companies are increasingly joining forces with information technology providers to control operating costs, focus on core business tasks, access cutting-edge services, and free up internal IT resources. Integrated services have growing access to clients’ systems and their customers’ data in order to perform tasks including:
- Data storage and backup
- Data processing
- Software-as-a-Service (SaaS)
- Data-as-a-Service (DaaS)
- Infrastructure-as-a-Service (IaaS)
- Platform-as-a-Service (PaaS)
- Shared hosting
- Virtual Private Server (VPS)
Business leaders should be protective about whom they entrust their intellectual property, human resource information, and confidential customer data. No matter how much vetting a client company does to find a service organization with incomparably impressive credentials, the business leaders still have a duty to protect all data that collected, stored, transmitted, processed, and disposed of by a service provider.
SOC 2 audits and reports serve as attestation to customers of these service providers. SOC 2 certification shows customers, and other stakeholders, that all relevant systems are properly protected against the threat of modification or unauthorized access. And the compliance process gives service organizations the chance to address vulnerabilities and inconsistencies that might make their system more at risk to cybersecurity attacks.
How Often Must a Service Organization Schedule a SOC 2 Audit?
Most SOC 2 reports cover a 12-month period, but there are times when service organizations perform this audit every six months, depending on the client’s preference and any ongoing concerns in the operational control environment.
Are You Ready to Start the SOC 2 Process?
The process of getting ready for your SOC 2 certification is a long one. It is important to have the right help along the way. By understanding what is required of you, as well as understanding the scope of the time and effort involved, you can make your certification process go more smoothly.
Looking for expert help? I.S. Partners has assisted organizations in a range of industries. Call us at 215-675-1400 or fill out the contact form to learn more.