Are you being asked by one or more of your customers to provide them with your SOC 2 audit report? If so, you’re probably asking yourself, what is a SOC 2 report, and how do I become SOC 2 compliant? Preparing an organization for a compliance audit of any kind can be a challenging task. In the case of a System and Organizational Control (SOC) examination, the audit scope can encompass a broad range of areas. Before setting out on your SOC 2 journey, it’s a good idea to have a basic understanding of what goes into a SOC 2 report. There’s no end to the number of items to include on a SOC 2 compliance requirements checklist. It’s also important to understand that there is no “official” SOC 2 audit checklist with requirements you need to check off to obtain the final report. There are specific criteria, but how your organization satisfies those criteria is up to you and your service auditor. Here are the essential areas you’ll need to address in your SOC 2 journey to make sure it’s a success.
What is a SOC 2 Audit & Do I Need One?
A SOC 2 is a System and Organization Control report. If your company’s services impact the Security, Availability, Processing Integrity, Confidentiality, and Privacy of your customers’ data and information, then a SOC 2 could be the best report for your company. The exact determination of which report you should be seeking (SOC 1, SOC 2, ISO 27001) is a discussion you and your service auditor should have at the beginning to determine which report matches your business model and your unique report needs. A lot is influenced by what requirements you are trying to satisfy with your report. Be prepared to give your auditor some background information as to why you are seeking certification.
What is Included in a SOC 2 Report?
A SOC 2 audit is primarily for the benefit of your customers. A third party independent CPA firm performs it, and final report details the auditor’s assessment of whether or not a service organization has the proper controls in place to meet the relevant Trust Services Criteria (TSC) of the American Institute of Certified Public Accountants (AICPA) for data access.
From your customer’s perspective, a SOC 2 report provides details about what controls your organization has implemented to identify and mitigate risk, provide oversight, manage vendors, and enforce appropriate internal governance.
A SOC 2 report is an attestation report in which the management of the service organization asserts that they have controls in place to meet the AICPA’s SOC 2 Trust Services Criteria (TSC). SOC 2 audits review the controls in place at a service organization relevant to the following five trust service criteria:
- Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage that could compromise the availability, integrity, confidentiality, and privacy of that information or those systems.
- Availability: Information and systems are available for operation and use.
- Processing integrity: System processing is complete, valid, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is protected.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of properly.
Even though the AICPA has defined five TSCs, not all of them may apply to every organization. Your organization must select which criteria are relevant to it. One of the initial questions in a SOC 2 process is determining the scope of the audit. Choosing an appropriate scope early-on is critical for success. Make sure you seek expert advice during this step.
At a minimum, a service organization must include the Security or “Common Criteria,” as it also called, in their report. It then can add additional TSCs from there depending on the services their company provides, and the criteria relevant to them. To determine what TSCs apply to it, an organization considers the risks present to its customers as a result of the services they provide and then selects which criteria best address those risks.
Additionally, there is no distinct listing of required controls to meet the SOC 2 criteria. The controls mapped to the SOC 2 criteria are at the discretion of the organization and service auditor regarding how they satisfy each criterion.
What Steps Should I Follow on My SOC 2 Journey?
If this is the first time your organization is undergoing a SOC 2 audit, you will want to prepare by having your service auditor perform a readiness assessment. Since there is no definitive AICPA SOC 2 audit checklist for organizations to use when preparing for a SOC 2 audit, a readiness assessment is the next best thing. A readiness assessment assesses an organization’s preparedness for a SOC 2 examination and identifies any potential gaps for remediation before starting fieldwork for the SOC 2 audit. If done correctly, the readiness assessment will identify any potential issues before the examination begins and reduce the probability of exceptions throughout the entire process. Your auditor has done a thorough review of all control activities.
Every readiness assessment is different, as there is also no SOC 2 readiness assessment checklist. The goal of the readiness assessment is for the organization to identify processes and controls relevant to the SOC 2 report and identify any associated weaknesses requiring remediation. The readiness assessment allows you to resolve any issues before starting the SOC 2 examination and, hopefully, completing a surprise free audit.
Additionally, the readiness assessment will give your organization an idea of the processes that will be covered, a preview of questions and evidence requested by their service auditor when they come back to perform the fieldwork for the SOC 2 audit.
Performing a SOC 2 audit on time and within budget starts by having a clear understanding as to the major deliverables and milestones related to the examination. Specifically, before you even think about performing a SOC 2 audit, you’ll need to identify and assess controls, identify gaps and deficiencies within your control environment, correct such gaps, assign roles and responsibilities to internal personnel for the audit, and much more.
Be Prepared to Remediate
One of the most challenging and time-consuming aspects of a SOC 2 project is remediation. Generally speaking, there are two types of remediation that occur:
- Technical & operational remediation, and
- Documentation remediation.
As for the technical/operational aspects, many businesses find they need to re-configure their information systems for security issues, such as strengthening passwords, removing insecure services, hardening network devices, and much more. The time required of internal resources to remediate items can be time-consuming but almost always improves security and efficiencies. Remediation will be an essential part of any SOC 2 compliance checklist as every business has something to improve.
As for documentation remediation, information security processes and procedures are a big part of IT compliance. Most companies simply don’t have up-to-date and relevant IT Security documents in place. The amount of time needed for authoring security materials can be exhausting. For the most part, firms find it easier to start off using policy and procedure templates and customizing where necessary vs. trying to formulate policies and procedures from scratch.
Understanding What Auditors are Looking for
A SOC 2 audit can be stressful for any IT team, but with the right preparation and support from your auditor, it doesn’t have to be something to fear. If security policies and procedures are well-developed, matured, and regularly maintained, preparing for an audit should not present a massive disruption to the organization. For best results, approach compliance as a year-round exercise, instead of a one-and-done exercise.
Here’s what you need to know in terms of audit deliverables and overall audit expectations. First and foremost, auditors are looking for “evidence” – more specifically – information security processes and procedures, signed memos, screenshots from various systems, log reports, to document and prove controls are working as designed.
So, what does this mean for service organizations? It means you’ll need to collect comprehensive audit documents to satisfy the evidence requests of auditors. Be open, honest, and provide all the evidence you can, and for anything, you cannot speak with the auditors and try and come up with a solution. Miscommunication and a misunderstanding often lead to friction between auditors and service organizations, so communicate early and often during the audit.
How Long Does it Take to Become SOC 2 Compliant?
The answer to how long it will take to become SOC 2 compliant is dependent on whether you are doing a Type I or a SOC 2 Type II report. If your organization has decided to do a Type I report, this process is typically much faster than a Type II. Since a Type I report covers a point in time, you may be able to get a SOC 2 Type I report in your hands within a month.
If your organization has decided to go with a Type II report, it means your organization will need to wait the length of the period before a report can be issued. Additionally, if the readiness assessment reveals gaps/weaknesses in the readiness assessment, your organization will need to remediate them before starting the period for a Type II or fieldwork for a Type II report.
Other Items to Consider
In addition to performing a readiness assessment, a crucial component of the SOC 2 project is doing a risk assessment of your IT environment. A risk assessment identifies areas potentially at risk from various threats and assesses the company’s exposure to those threats. A risk assessment is often thought of as a jumping-off point to identify areas to include in your SOC 2 audit scope. It is one foundational element of any sound IT security program.
Another area that will prove valuable in the process is a penetration test. Penetration tests are also called Pen tests and are useful in identifying weaknesses in your IT security when running against various threats. It provides valuable feedback on how your systems are operating in the fighting of outside threats.
Finally, Security Awareness Training should be provided to your employees to inform and educate them on the various security threats they may encounter daily and how to appropriately react and notify security personnel when an event occurs.
A SOC 2 report can be an ideal solution for many service providers looking for a more efficient way to satisfy customer inquiries about their control environment. A structured readiness process is critical. Engaging a public accounting firm such as Alchemi Advisory Group as a trusted partner to clarify every step can simplify the process, shorten the overall timeline, and achieve enterprise benefits more efficiently and effectively.