SOC 2 Readiness: Preparing for Your Audit

Date November 3, 2021
Article Authors
HBK CPAs & Consultants

A few tips to make preparations easier.

Preparing for a security audit, or any audit for that matter can be a daunting and complicated task. Smaller organizations may find themselves with limited resources and very few if any, formalized policies and procedures. Conversely, the magnitudes of technologies, processes, and people in larger enterprises can complicate scoping, buy-in, and a host of other issues, even in organizations with an established security program.

But the hurdles your organization must clear aren’t going away. Nor are your customers’ or business partners’ requests for evidence of your security audit or current security practices. Third-party risk security questionnaires and requests for SSAE-18, SOC 1, SOC 2, or ISO certification are here to stay.

Through our extensive work helping organizations overcome the confusion and uncertainty of SOC 1 and SOC 2 audit readiness and preparation, we have encountered and addressed a wide range of client concerns and stumbling blocks. Here are a few tips we have picked up along the way that should make preparing for your next readiness assessment easier.

  • Proper scoping: Every project begins with scoping. Your audit preparations are no different. When scoping your SOC reports, limit the scope to the systems and processes you use to deliver your client services. Document the infrastructure, software, data, and people that support those services. Information security should be instilled throughout your organization, but remember your audience. The final SOC report is intended for your customers and business partners, and their biggest concerns are the systems and processes you use to provision your services and the risk to their organizations.
  • Trust service criteria: When scoping your SOC 2 report, you’ll have to determine which Trust Service Criteria you want to attest to security, availability, confidentiality, processing integrity, or privacy. Note that only security is required. As such, we recommend that you start small. Include only security in the readiness assessment and first-year audit (unless you get specific requests to include other criteria). Starting small helps to reduce costs and upfront workloads. Additionally, you can more easily familiarize your organization with the audit process and requirements, and establish a baseline you can build on.
  • Software: Software can help, but is not necessary. You’ll find many governances, risk and compliance, and assurance software providers who will claim they can automate your SOC process or complete your assessment within weeks. However, many of these companies will not and cannot perform your audits. SOC reports must be issued by a CPA who must adhere to strict guidance and reporting standards, which, in part, is what makes these reports so valuable. Software can help you organize your documentation or map your controls, but at the end of the day, your documentation will have to stand up to the scrutiny of a professional auditor. As will the sufficiency of your controls.
  • Getting started: You probably don’t have to start from scratch. The security criterion includes nine additional “common criteria” that you are likely well on your way to achieving. Remember, SOC reports are more a communication tool than a strict framework. As such, there is no checklist of items that must be included. There are, however, some common themes. Access management, for example. Your organization likely has onboarding and termination processes. But how are they evidenced? Is the process repeatable? Is there a formalized policy? There is no one-size-fits-all access management process, so during the readiness assessment, you’ll want to determine if you can evidence yours to sufficiently meet audit standards.
  • Support: Don’t be afraid to ask for help—and use a professional. Too many organizations spin their wheels for months, even years. First, they try to conduct the readiness assessment themselves, but to no avail due to organizational limitations or a lack of internal resources. Secondly, they’ll bring in a security consultant, skilled perhaps in creating policies and procedures but unskilled in mapping them to the SOC criteria and determining your existing gaps and weaknesses.

Eventually, you’ll find yourself face-to-face with your auditor, there to assess the results of your internal or security consultant-produced readiness assessment, or to finish the readiness assessment, or to conduct the audit. From the beginning, that auditor could have been helping you prepare for your readiness assessment and become familiar with your environment.

Note: you might choose to use two different entities to perform the readiness and audit functions. That often proves beneficial in terms of segregating duties or having two sets of eyes examining your documentation. Still, it is key to use professionals with experience in SOC 2, not just security. Doing so will deliver benefits beyond the assessment and audit. For example, upon the conclusion of our readiness assessment, we provide our clients actionable recommendations that leverage their existing technology and resources to keep the audit process cost-effective.

Readiness assessments are step one in your SOC 2 journey and can take up to 60 days to complete—and that won’t include the audit or the time it takes to remediate gaps and weaknesses, which depends on the significance and number of gaps and weaknesses identified.

Key takeaways:

  • Get it right from the beginning and nail down your scope.
  • Don’t be fooled by automated tools or ads claiming SOC reports can be produced in less than 30 days. I can promise your readers won’t be fooled.
  • Engage your professional advisors sooner rather than later; anything worth doing is worth doing right.
  • Have trust in yourself and your organization. You’re further along than you think. You just have to get started to know where you need to go.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Ohio Bill Would Establish Data Rights and Set Standards for Businesses

Date July 20, 2021
Article Authors
HBK CPAs & Consultants

Calling it “landmark data privacy legislation,” Ohio legislators have introduced a bill that “would establish data rights for Ohioans while requiring businesses to adhere to specific data standards.” House Bill 376, or the Ohio Personal Privacy Act (OPPA), was announced July 13 by State Representatives Rick Carfagna and Thomas Hall and Lt. Gov. Jon Husted. If the legislation passes, Ohio will join more than 20 other states enacting data privacy legislation and standards.

The Act “would primarily apply to businesses with $25 million or more in gross revenue in Ohio or businesses that control or process large amounts of data,” according to the Ohio House of Representatives’ press release. The bill includes a list of requirements for businesses, including “posting privacy notices and disclosing where data is being sold,” the release noted. There will be certain exemptions for businesses and industries with data privacy standards already in place in accordance with such regulations as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach Bliley Act requiring financial institutions to explain their information-sharing practices with consumers.

The OPPA offers additional incentives for all businesses. It would change laws and incentivize businesses to be proactive by providing for an “affirmative defense” against legal claims for businesses that develop and implement their own data privacy programs that meet the standards as set forth in the latest version of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (https://www.nist.gov/privacy-framework/privacy-framework).

The NIST framework, like other NIST frameworks, does not offer a third-party assurance program to standardize and oversee reporting. So the question remains: How will businesses demonstrate their “compliance” with the NIST framework and what evidence will be sufficient? And to what degree do we trust self-reporting? The lack of trustworthy and valid self-reporting of the NIST 171 guidelines under DFARS 252.204-7012 is essentially what prompted the U.S. Department of Defense’s Cybersecurity Maturity Model Certification.

Other “privacy frameworks,” such as ISO 27701, offer certification or third-party assurance, allowing businesses to demonstrate the effectiveness of their privacy standards, which is particularly useful should they need to take advantage of the affirmative action’s safe harbor provisions in the event of a breach. As well, the latest version of the American Institute of CPAs’ SOC 2 Trust Services Criteria includes “privacy” as a criterion for businesses and their auditors to report on and communicate an organization’s ability to meet privacy standards. However, it is unclear if any of these mechanisms will suffice to meet OPPA requirements, and to what extent an organization will have to demonstrate its compliance with the NIST Privacy program.

As we await clarity on these issues, one thing is for certain: State regulations are shifting and most businesses will need to implement and maintain a data privacy program. To what degree they will need to communicate assurances to stakeholders is unclear, but something you should be discussing with your advisors.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.