9 Steps to Prepare for a SOC 2 Audit | SOC 2 Compliance Checklist

The Importance of Preparation for SOC 2 Audits 

Companies are increasingly joining forces with information technology providers to control operating costs, focus on core business tasks, access cutting-edge services, and free up internal IT resources. Integrated services have growing access to clients’ systems and their customers’ data in order to perform tasks including: 

• Colocation
• Data storage and backup
• Data processing
• Software-as-a-Service (SaaS)
• Data-as-a-Service (DaaS)
• Infrastructure-as-a-Service (IaaS)
• Platform-as-a-Service (PaaS)
• Shared Hosting
• Virtual Private Server (VPS)

Business leaders should be protective about how they save and share their intellectual property, human resource information, and confidential customer data. No matter how much vetting a client company does to find a service organization with incomparably impressive credentials, business leaders still have a duty to protect all data that is collected, stored, transmitted, processed, and disposed of by a service provider. 

SOC 2 audits and reports serve as attestations to customers of these service providers. A SOC 2 report shows customers, and other stakeholders, that all relevant systems are properly protected against the threat of modification or unauthorized access. The compliance management process gives service organizations the chance to address vulnerabilities and inconsistencies that might make their system more at risk to cybersecurity attacks. 

9 Steps to Prepare for a SOC 2 Audit

The SOC 2 compliance process starts long before the audit date. Data security and compliance management are meant to be ongoing efforts. They begin with analyzing the risk environment and identifying gaps, transition into remediation and readiness testing before auditing, certifying, and starting over again the next year. Here’s a closer look at each phase. 

Determine the Type of SOC 2 Report | SOC 2 Step 1 

Choose between SOC 2 Type 1 and Type 2 reports; this decision depends on your client’s needs, your organization’s services and products, or audit requirements. 

Quantifying Risk | SOC 2 Step 2 

The preparation phase of SOC 2 compliance begins with quantifying the business revenue that is at risk. There are a number of methodologies that can be used to accurately quantify your financial risk. During the kickoff, you and your audit partner will also establish which preparation tasks are most critical and set up expectations for the rest of your audit prep. 

Defining the Scope | SOC 2 Step 3 

Depending on the reason for the SOC 2 audit, the scope may cover the controls in one or all five of the Trust Service Criteria (TSC). Additionally, the scope may be wider or narrower in relation to what will need to be analyzed. 

Consider any legal, contractual, or other regulatory obligations you may have to help identify specific TSC requirements. For example, in the case of healthcare organizations, data privacy is crucial, so they may focus on privacy. In general, security and availability are the most commonly tested TSCs. 

Building a Strong Compliance Team | SOC 2 Step 4 

SOC 2 audit is a marathon, not a sprint. The process can take several months. However, it will go more smoothly and efficiently if you identify the necessary role and the people who will fill them. Essential SOC 2 players include: 

• Executive Sponsor – This is the person who should be able to tell those in the C-Suite why SOC 2 certification is right for your organization. They will be able to relate certification to ongoing security concerns, future revenue, risk management, and more. In a complex organization, this sponsor will need to do extensive research to be sure they thoroughly understand the undertaking.
• Project Manager – The project manager will be the person who coordinates all SOC 2 activities and team members. They will gather information and documents, schedule resources, set deadlines and milestone, and help ensure that everyone has what they need. A project manager doesn’t need to have management compliance experience or even fully understand SOC 2’s requirements. What they do need is an understanding of team management and the skills to keep everything moving. Project management works best when the person in that role is left free to organize. Material participation in the process should be delegated to someone else to leave your project manager free to manage.
• Primary Author – The person in this role will need technical writing experience and extensive communication skills. They will need to have a firm understanding of business and operations, as well, so that they can effectively interview members of other teams and be able to clearly report what they are doing.
• IT and Security Personnel – The people on this team will have a great deal of material that needs to be created and verified during the audit process. Much of the work will involve demonstrating that your organization can detect and effectively respond to data security issues. Make sure that this team has both personnel and financial resources needed for the job. It is likely that you will need to buy additional security tools after your first audit. You may also need to change how people physically access your properties and your data center. This, in turn, may result in the need to hire additional personnel. Make sure that there is enough staff available to handle the workload associated with SOC 2 certification.
• Legal Personnel – Your legal team should be involved in the SOC 2 audit process early. Their input will be invaluable when you are working with third-party vendors and business partners to ensure that all contracts are up to date. They will also be helpful as you continually update your documentation throughout the SOC 2 project.
• External Consultants – If this is the first time your organization has undergone SOC certification or if you have had significant changes since your last experience, external help can be a lifesaver. Organizations like I.S. Partners can advise you throughout the process to ensure your success. Consultants will have worked extensively with a range of organizations and will have an understanding of what you’ll need to become SOC 2 compliant. We have a deep understanding of the TSCs and can help you understand how they apply to your organization. Additionally, if you are bound by other compliance requirements like HIPAA and PCI, we can ensure that they are properly incorporated into your organization’s SOC 2.

Document Collection | SOC 2 Step 5 

In preparation for the upcoming SOC audit, you’ll receive a list of all of the documentation you will be expected to deliver as part of the process. 

This list will also highlight what you are currently missing. Most enterprises go into the process with a number of gaps. Giving yourself time to address them will ensure a higher level of success. Some of the most common gaps include: 

• A full asset inventory, as well as the process that keeps your inventory updated and accurate.
• Human resources documentation that includes procedures for evaluating employee performance, as well as a meta-document that outlines how and when these evaluations are distributed to the applicable managers.
• Controls and checklists for employee onboarding.
• A formal process for employee termination or change from one position in the company to another.
• Core policies, including standard operating procedures and an information security policy.
• Key security controls for your customer data.

Readiness Assessment | SOC 2 Step 6 

This important exercise helps IT teams understand which important elements of the control environment require attention and remediation before performing the official audit. Even with all the other preparatory steps locked into place, conducting readiness testing is crucial for ensuring the service organization’s controls work as intended. It is not at all unusual for various inconsistencies, deficiencies, and other problems to surface during a SOC 2 readiness assessment. 

Readiness testing can also help narrow the scope down to the exact business processes and systems to be included in the audit. This is key to saving valuable time and resources. 

There really is no official industry standard when it comes to SOC readiness testing methods, but there are some core elements, points, and ideas that may help get service organizations like your own moving in the right direction, like the following: 

1. Make sure SOC is right for your business.
2. Choose and meet with a service auditor to discuss issues and concerns for an upcoming audit.
3. Select SOC 2 audit elements, such as the system in question and the TSC, or TSCs, to include in the audit.
4. List management commitments.
5. Evaluate controls and gaps to make sure they are in place, correctly designed, and operating effectively.
6. Remediate discovered gaps regarding controls, policies, procedures, and processes.
7. Develop a system description that reflects elements of the system, as well as criteria, security controls, and assertions.
8. Run and maintain processes to build an effective audit period.
9. Prepare to run your official SOC 2 audit with last-minute walk-throughs.

Identifying Gaps | SOC 2 Step 7 

Gap analysis allows you to verify that all key controls are documented and in place. This process requires a close review of your chosen system against the criteria selected. A gap analysis serves to detect issues before beginning an audit. It gives your organization the opportunity to make corrections, so be sure to leave plenty of time for remediation. During gap analysis, an independent auditor can help assess your current environment and how it compares to SOC 2 requirements: 

• Security
• Availability
• Processing integrity
• Confidentiality
• Privacy

Common issues often identified in this phase include: 

• A need for core policies that define how your organization protects internal and customer data.
• A need for consistent employee background checks.
• A need to adjust or create employment agreements that emphasize security needs.
• A need for a strong password policy that meets the latest best practice recommendations.

The gap analysis stage typically takes between two to four weeks. These days, all or nearly all SOC fieldwork and auditing procedures can be performed remotely without on-site appointments. At the end of this analysis, you and your auditor will have identified the controls that need improvement in order to achieve SOC certification. 

Remediation | SOC 2 Step 8 

Once the gap analysis and readiness assessment (also known as a SOC 2 self-assessment) is completed, you’ll start your first remediation period. This can last anywhere from two to nine months. The length of remediation will depend on what you discover during the gap analysis and what resources are available to seal up the gaps. 

This is the part of the process where teams will feel the impact of the changes that SOC 2 requires. It is not uncommon to make new hires to meet requirements. You may also change your software development process to align with security needs. Following the SOC 2 readiness assessment, your team should ensure all security procedures are exhaustively assessed and documented to facilitate the audit process and provide employees with a guideline for permissible actions on the audited systems. 

After this remediation period, another assessment will be performed. There may also be a second remediation period based on your auditor’s findings at this time. 

Fulfilling Documentation Requests | SOC 2 Step 9 

Documentation is essential to achieving and maintaining complete and consistent SOC 2 compliance. Examples of pertinent documentation include organizational charts, change management compliance information, asset inventories, and on-boarding and off-boarding processes. 

Your request list from the SOC auditor may include items that do not apply to your specific business. Explain to your auditor which items don’t belong and the reasons why. In some cases, your auditor may not agree with you and will explain why certain items that are not currently in your procedures are important. 

This stage involves a large quantity of documentation. Make sure you have someone tasked with coordinating it all so that every relevant department knows what is expected of them and when. All of the information should be pulled together in a central repository so that it is easily available to your auditor. 

Related article: Are Pen Tests & Vulnerability Scans Needed for SOC 2 Report Compliance? 

Tips to Ensure Success When Preparing for a SOC 2 Audit 

1. Establish Administrative Policies: Create strategies that match your team structure to manage security in the workplace. Regularly review and update these policies as procedures change. 
2. Implement Technical Security Controls: Use available security tools and adopt best practices for efficient access control, firewall, and network protections by enabling encryption. Implement cloud security controls matching your policies surrounding access control, networking, backup protocol, and more.
3. Engage a Reputable Auditing Firm: Look for a firm that has worked with similar-sized companies, has experience in SOC 2 audits, and conducts an efficient auditing process.
4. Schedule the Audit: Find an accredited auditing partner meeting your organization’s needs and expectations to ensure a smooth and efficient process.

What Documentation Should Be Collected Before a SOC 2 Audit? 

SOC 2 documentation serves as critical evidence reflecting your implemented security policies, procedures, and other internal controls based on the five Trust Services Criteria (TSC) – namely, security, availability, processing integrity, confidentiality, and privacy. It typically includes system descriptions, management assertions, risk assessments, and other requirements. 

Proper documentation should detail the security controls – like authentication measures and technical testing – and provide proof that systems have been updated with the latest configurations and patches. All these documents should be organized systematically to help auditors verify their accuracy and relevance to audit objectives. 

It’s crucial that your processes, procedures, and regular checks for vulnerabilities or outdated components are explained clearly. Evidence is typically collected via screenshots, logs, documents, tickets, and other paperwork that supports the SOC 2 compliance program. 

By maintaining comprehensive and up-to-date documentation, you can ensure surprises or neglected protocols won’t pop up during a SOC 2 audit. Remember, SOC 2 is not a strict rulebook but a framework surrounding the five TSCs, and addressing it essentially requires thorough documentation. 

What Is a SOC 2 Compliance Checklist? 

A SOC 2 compliance checklist is a list of actionable items made to help organizations as they prepare for a SOC 2 readiness assessment or SOC 2 compliance audit. SOC 2 compliance checklist outlines the key steps an organization needs to follow to become compliant with the SOC framework. It helps ensure that a company’s information security measures are in line with the unique needs and requirements of today’s cloud environments, adhering to the five TSCs.  

While the actual checklist can differ for each organization depending on their unique operational structure and processes, a general SOC 2 compliance checklist can be downloaded here: 

What is SOC 2 Readiness? 

SOC 2 readiness is an assessment that acts like a dress rehearsal in preparation for the SOC 2 audit, helping to identify potential gaps in your controls and create a plan to remediate those gaps. The assessment allows internal verification of an organization’s readiness for a SOC 2 examination, the adequacy of current controls, the detection of gaps that need fixing before the examination, and how to rectify these gaps. 

What Does a SOC 2 Audit Look for? 

A SOC 2 audit looks at how an organization’s data management to ensure it complies with the five Trust Service Criteria: 

1. Security: This assesses whether the system is protected, both physically and logically, against unauthorized access, disclosure, and disruption of system operations, among other security threats.
2. Availability: This criterion examines whether the system is available for operation and use as agreed upon. It includes network and system performance monitoring, disaster recovery, and incident handling.
3. Processing Integrity: This is about whether the system achieves its purpose. i.e., the delivery of the right data at the right price at the right time. It includes data processing, data quality monitoring, and process mapping.
4. Confidentiality: This checks whether confidential information is protected. It includes encryption, network and application firewalls, and access controls.
5. Privacy: This considers whether personally identifiable information is collected, stored, processed, disclosed, and disposed of in compliance with an organization’s privacy notice and principles and with criteria set forth in the Generally Accepted Privacy Principles issued by the AICPA.

The SOC 2 audit tests the design and operational effectiveness of controls the company has in place to meet the trust principles. During the audit, the auditor performs a readiness assessment, checks for gaps, develops a remediation plan, and tests the design, implementation, and operational effectiveness of controls. The auditor also reviews the company’s policies, procedures, and evidence of these controls working in practice, such as screenshots, logs, docs, tickets, and other collected paperwork. 

The purpose of the SOC 2 audit is to reassure the management and customers that the organization is responsible for data management, utilizing IT systems and software development processes correctly, and handling information responsibly, inline with the trust principles. 

Accelerate Your SOC 2 Audit Preparation With I.S. Partners

Navigating through the complexities of a SOC 2 audit can be daunting. But with I.S. Partners by your side, every step on the path to reliable data security becomes clearer and more manageable. I.S. Partners not only helps streamline this multifaceted process but also leverages its industry experience to identify, address, and bridge any gaps that may arise as we guide your organization through SOC 2 compliance.

Resources

AICPA, “Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy,” March 2020. 

SOC 1®, SOC 2® and SOC 3® are registered trademarks of the AICPA (American Institute of Certified Public Accountants). The AICPA® Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.

About The Author

Anthony Jones

Anthony has over 20 years of experience and has worked with a variety of industries, including Health Care Insurance, Banking and Financial Services, Information and Analytics, Telecom, and Utilities. Anthony has extensive knowledge in IT Security consulting; he is also a Certified Information Systems Auditor (CISA), and Project Management Professional (PMP) designation holder with expert ability to accurately determine needs, understand risk tolerances, offer alternatives to current situations, develop action plans and cultivate longstanding client relationships. Anthony’s area of expertise consists of MAR, HIPAA and Sarbanes Oxley Compliance, IT Security and Privacy Management, Enterprise Risk Management (ERM), Health Care Insurance Banking and Financial Services, Manufacturing and Utilities. Prior to joining IS Partners, LLC Anthony spent 12 years with PWC as a Senior Manager in Business Risk Solution (BRS) Practice advising Fortune 100 financial services, manufacturing, Insurance and utility companies. Anthony graduated Saint Joseph’s University. Anthony received his MBA from SJU Haub School of Business.
Anthony Jones frequently blogs for I.S. Partners, LLC.