SOC 2 Readiness: Preparing for Your Audit

A few tips to make preparations easier.

Preparing for a security audit, or any audit for that matter can be a daunting and complicated task. Smaller organizations may find themselves with limited resources and very few if any, formalized policies and procedures. Conversely, the magnitudes of technologies, processes, and people in larger enterprises can complicate scoping, buy-in, and a host of other issues, even in organizations with an established security program.

But the hurdles your organization must clear aren’t going away. Nor are your customers’ or business partners’ requests for evidence of your security audit or current security practices. Third-party risk security questionnaires and requests for SSAE-18, SOC 1, SOC 2, or ISO certification are here to stay.

Through our extensive work helping organizations overcome the confusion and uncertainty of SOC 1 and SOC 2 audit readiness and preparation, we have encountered and addressed a wide range of client concerns and stumbling blocks. Here are a few tips we have picked up along the way that should make preparing for your next readiness assessment easier.

• Proper scoping: Every project begins with scoping. Your audit preparations are no different. When scoping your SOC reports, limit the scope to the systems and processes you use to deliver your client services. Document the infrastructure, software, data, and people that support those services. Information security should be instilled throughout your organization, but remember your audience. The final SOC report is intended for your customers and business partners, and their biggest concerns are the systems and processes you use to provision your services and the risk to their organizations.
• Trust service criteria: When scoping your SOC 2 report, you’ll have to determine which Trust Service Criteria you want to attest to security, availability, confidentiality, processing integrity, or privacy. Note that only security is required. As such, we recommend that you start small. Include only security in the readiness assessment and first-year audit (unless you get specific requests to include other criteria). Starting small helps to reduce costs and upfront workloads. Additionally, you can more easily familiarize your organization with the audit process and requirements, and establish a baseline you can build on.
• Software: Software can help, but is not necessary. You’ll find many governances, risk and compliance, and assurance software providers who will claim they can automate your SOC process or complete your assessment within weeks. However, many of these companies will not and cannot perform your audits. SOC reports must be issued by a CPA who must adhere to strict guidance and reporting standards, which, in part, is what makes these reports so valuable. Software can help you organize your documentation or map your controls, but at the end of the day, your documentation will have to stand up to the scrutiny of a professional auditor. As will the sufficiency of your controls.
• Getting started: You probably don’t have to start from scratch. The security criterion includes nine additional “common criteria” that you are likely well on your way to achieving. Remember, SOC reports are more a communication tool than a strict framework. As such, there is no checklist of items that must be included. There are, however, some common themes. Access management, for example. Your organization likely has onboarding and termination processes. But how are they evidenced? Is the process repeatable? Is there a formalized policy? There is no one-size-fits-all access management process, so during the readiness assessment, you’ll want to determine if you can evidence yours to sufficiently meet audit standards.
• Support: Don’t be afraid to ask for help—and use a professional. Too many organizations spin their wheels for months, even years. First, they try to conduct the readiness assessment themselves, but to no avail due to organizational limitations or a lack of internal resources. Secondly, they’ll bring in a security consultant, skilled perhaps in creating policies and procedures but unskilled in mapping them to the SOC criteria and determining your existing gaps and weaknesses.

Eventually, you’ll find yourself face-to-face with your auditor, there to assess the results of your internal or security consultant-produced readiness assessment, or to finish the readiness assessment, or to conduct the audit. From the beginning, that auditor could have been helping you prepare for your readiness assessment and become familiar with your environment.

Note: you might choose to use two different entities to perform the readiness and audit functions. That often proves beneficial in terms of segregating duties or having two sets of eyes examining your documentation. Still, it is key to use professionals with experience in SOC 2, not just security. Doing so will deliver benefits beyond the assessment and audit. For example, upon the conclusion of our readiness assessment, we provide our clients actionable recommendations that leverage their existing technology and resources to keep the audit process cost-effective.

Readiness assessments are step one in your SOC 2 journey and can take up to 60 days to complete—and that won’t include the audit or the time it takes to remediate gaps and weaknesses, which depends on the significance and number of gaps and weaknesses identified.

Key takeaways:

• Get it right from the beginning and nail down your scope.
• Don’t be fooled by automated tools or ads claiming SOC reports can be produced in less than 30 days. I can promise your readers won’t be fooled.
• Engage your professional advisors sooner rather than later; anything worth doing is worth doing right.
• Have trust in yourself and your organization. You’re further along than you think. You just have to get started to know where you need to go.