Listen to: "Our Guideline of a SOC 2 Timeline: Know What to Expect"
When you’ve scheduled your SOC 2 testing, you are well on your way to demonstrating the trustworthiness of your company. However, scheduling your on-site test is not the end of your preparation. There are a number of additional steps along the way. Not sure what your timeline is or what to expect? Read on to learn more about each stage of the process:
Why You Need SOC 2 Audits
First, it’s important to understand what SOC is and why it is valuable. SOC is an abbreviation for “system and organization controls.” These controls are a collection of standards that provide insight into how well a specific organization handles sensitive data. Special attention is paid to the information entrusted to you by customers and third-party vendors.
An organization that has earned SOC certification has been audited by an independent organization. During the audit, an independent certified public accountant will work with your organization to complete several tasks that include a readiness assessment, as well an analysis of your risk management, appropriate SOC guardrails and attestation standards that fit those of the American Institute of Certified Public Accountants. The steps involved are detailed below.
Quantifying Your Risk
The kickoff of a SOC 2 audit involves quantifying the business revenue that is at risk. There are a number of methodologies that can be used to accurately quantify your financial risk. During the kickoff, you and your audit partner will also establish how critical your preparation tasks are and set up expectations for the rest of your preparation.
Next Up: Gap Analysis
The gap analysis stage typically takes anywhere from two to four weeks. This is a stage where the assistance of a third-party service auditor like I.S. Partners is especially valuable.
During gap analysis, your auditor will assess your current environment and how it compares to SOC 2 requirements. How well does your organization fit SOC’s trust service principles:
- processing integrity.
Some SOC audit procedures can be performed remotely. Others will require an on-site appointment. Procedures that fall into the latter group include environmental and physical security functions.
At the end of this analysis, you and your auditor will have identified the areas where you can improve to serve customers’ privacy needs better and to earn SOC certification. Common issues often identified in this phase can include:
- A need for core policies that define how your organization protects internal and customer data.
- A need for consistent employee background checks.
- A need to adjust or create employment agreements that emphasize security needs.
- A need for a password complexity policy that meets the latest best practice recommendations.
There may also be key trust service principles that are specific to your business and industry. For instance, if you are working in the e-commerce sector, you will need to add processing integrity to your SOC audit.
Once the gap analysis and readiness assessment is completed, you’ll start your first remediation period. This can last anywhere from two to nine months. The length of remediation will depend on what you discover during the gap analysis and what resources are available to seal up the gaps.
This is the part of the process where teams will feel the impact of the changes that SOC 2 requires. It is not uncommon to make new hires to meet requirements. You may also change your software development process to align with security needs.
After this remediation period, another assessment will be performed. There may also be a second remediation period based on your auditor’s findings at this time.
The Information Request List
In the time before your SOC audit, you’ll receive a list of all of the documentation you will be expected to deliver as part of the process.
This list will also highlight what you are currently missing. Most enterprises go into the process with a number of gaps. Giving yourself time to address them will ensure a higher level of success. Some of the most common gaps include:
Your request list may also include items that do not apply to your specific business. Explain to your auditor which items don’t belong and the reasons why. In some cases, your auditor may not agree with you and will explain why certain items that are not currently in your procedures are important.
Getting Together Your Documentation
This stage involves a large quantity of documentation. Make sure you have someone tasked with coordinating it all so that every relevant department knows what is expected of them and when. All of the information should be pulled together in a central repository so that it is easily available to your auditor.
The process of getting ready for your SOC 2 certification is a long one. It is important to have the right help along the way. By understanding what is required of you, as well as understanding the scope of the time and effort involved, you can make your certification process go more smoothly.
Looking for expert help? I.S. Partners has assisted organizations in a range of industries. Call us at 215-675-1400, or send us a message to learn more!