If you’re a product or service organization that handles client data, you should seriously consider getting a SOC 2 audit. Larger companies that contract your services often require having a SOC 2 audit report to do business with them.
More importantly, though, you’ll need to develop a security program that addresses the security challenges of handling client data. SOC 2 compliance is a framework that helps you do that. The SOC 2 standard organizes its data security requirements into five trust service criteria (TSCs): security, availability, process integrity, confidentiality, and privacy. We go into detail about the SOC 2 standard itself here. Now, let’s talk about the SOC 2 audit process and how to prepare for it.
How to Choose An Auditor
How your SOC 2 audit turns out largely depends on the auditor. Some have sophisticated knowledge about information security and others, well, don’t. We always prefer to work with auditors experienced in information security. An auditor who doesn’t actually understand security can’t speak to what really matters—namely, whether the security controls you have in place genuinely address the trust service criteria. An auditor who can only check boxes that a control does or does not map to a certain TSC or that a control test did/did not show expected results (an “exception”) isn’t much help. For example, such an auditor can’t assess whether you have compensating controls in place that reduce the risk of an exception. An auditor with a strong grasp of security can make those determinations, which directly impacts whether the audit results in a qualified, unbiased opinion (which is what you want).
When looking for an experienced SOC auditor, ask whether they’ve audited companies similar to yours, specifically in terms of company size and level of security maturity. If your industry has a specialized set of security risks, it’s even more important that the audit firm has worked with other companies in your industry.
Many firms use multiple auditors in a layered review. Find out what the auditor firm’s process is. They may have junior auditors do the initial review who don’t yet have the experience to properly identify and address exceptions. However, the firm could still be a good fit if it uses senior auditors with which you can have constructive conversations as a second review layer.
In addition to experience, we also value auditors who are transparent about what they’re going to ask for and how they operate. If you don’t feel a sense of transparency from them in response to your qualifying questions about their experience and process, it is possible they won’t be forthcoming during the audit process.
Some of our clients chose to go with the “big name” audit firms because they audit major companies like Salesforce and Google. They feel these auditors are a safe option, because who’s going to question their expertise? They’ll pay for that safety, of course, as audits by the big firms can cost $100,000 or more.
You don’t need to spend six figures on your SOC 2 audit, but you also don’t want to choose an auditor solely on price either. A “cheap” SOC 2 audit can be around $25,000, but that’s likely a small firm that lacks the security sophistication you want your auditor to have. We refer clients to five reputable audit firms, ranging from medium to large and specialized.
What You Need For Your Audit
To put it bluntly, you will need documentation and lots of it. Your documentation starts as a result of developing security policies and processes to secure your and your customers’ data. You’ll need additional documentation that demonstrates how your company consistently applies and communicates its security policies and procedures. Change management documentation regarding your security policies and information security environment will also be necessary.
You may need documentation of how you regularly test and validate your controls and policies. If you’re engaging in a SOC 2 Type 2 audit, you’ll need to provide documentation of test results over a period of time, typically six to 12 months, showing how your controls hold up over time. A SOC 2 Type 1 report validates that you have controls and policies in place as of a specific date.
You’ll have to prepare a System Description, which AICPA breaks down the System Description into nine “description criteria” categories:
- Types of services provided
- Principal service commitments and system requirements
- Components of the system used to provide services
- System incident reports
- Applicable trust services criteria and related controls showing the service commitments and system requirements were met
- Complementary user entity controls (CUECs)
- Complementary subservice organization controls (CSOCs)
- Specific trust services criteria not applicable to the system with explanation why the criteria aren’t relevant for you organization
- Significant changes to the system during the examination period (Type 2 reports only)
The above is not an exhaustive list of the documentation you’ll need for a SOC 2 audit. However, if you’re approaching information security right, much of the documentation needed will be a natural output of building a strong security program.
There are tools that can help automate evidence gathering and preparation, which can make preparing for an audit less onerous, but they can’t do the job on their own. For example, you can run a tool to document how permissions are organized and applied. However, if you want to know that permissions for a given application are set-up correctly, you need to know what the application does and who should have what type of access. A tool can’t make that assessment. The tools leveraged by the SPIO platform to collect and document evidence needed for an audit do speed up the process, but we always advise clients to use them in the context of human judgement.
Who Inside Your Organization Needs To Be Involved?
You definitely want a senior person to provide executive oversight. We recommend appointing someone with budget authority to take responsibility for company security as a valuable first step in improving your company’s security (it is one of 21 actions your company can take to improve its security fast). Depending on personnel available, this person could also be the one who coordinates all SOC 2 audit activities.
IT staff and others in more junior roles can pull together the documentation and other evidence that you’ll need to provide to the auditors. If you have dedicated security personnel, like asecurity DevOps engineer, they’ll certainly be involved. These personnel are key to showing how your security program can detect and respond to security events.
A clear, well-written System Description will be helpful, so you’ll need someone with writing skills and strong knowledge of information security. As with other assistance in preparing for a SOC 2 audit, you can outsource writing the System Description, say by using the SPIO platform and Virtual CISO services.
As you think about the actual audit process, it is useful to know how much time the auditing firm expects you to spend with them. From our observation, it usually requires an ongoing commitment of 2-8 hours per week during preparation and then a fairly full two weeks of time during the audit period. Many audits involve a week of evidence gathering meetings that require not only the leader but also the company expert in the particular meeting topic who can help collect evidence.
Understanding The SOC 2 Audit Process
While SOC 2 has five trust service criteria, you don’t need to include all five in your SOC compliance program. Security is the “common criteria” that’s part of all SOC 2 audits. You can stop with that criterion, but you will have to explain why your security program and SOC audit don’t include the other four TSCs in your System Description. The more TSCs you include in your audit, the more valuable your SOC 2 report will be. Further, as a service provider, some of your potential clients and partners may specify what TSCs your SOC 2 report needs to cover.
As for the SOC 2 audit itself, there’s a formal, highly recommended path you can follow:
- Gap analysis and readiness assessment to identify existing gaps where your security program and controls don’t meet the relevant TSC requirements. This can be a self-directed assessment, before the auditor gets involved. It can also be something the auditor offers and may be well worth paying for as this is often when the auditor lays out the controls they will expect to see in detail.
- SO 2 Type 1 audit, which validates that your company has controls in place that map to the TSCs as of the specified date.
- SOC 2 Type 2 audit, which assesses performance of your security program and TSC-mapped controls over a specified period of time.
While following this framework can be quite involved, it’s a good model for assuring that controls are in place to achieve security growth as fast as possible, while also building a body of evidence regarding their implementation.
A SOC 2 Audit Shouldn't Be A Paper Chase
When you do consider getting a SOC 2 audit, don’t think of it simply as obtaining a report with a stamp of approval. You can always find auditors who take that approach, but it won’t be a meaningful path towards building a mature security program that impresses potential partners.
You may be motivated in the moment because a client or your sales team is telling you having a SOC 2 audit report is necessary. Yet the report won’t matter much if it doesn’t reflect a substantive security program that can, in fact, protect your clients’ data. Practical security is the goal, and the carefully prepared documentation and reporting are a critical means to that end.