SOC 2 Audit 101

A SOC 2 audit is designed to show your customers that you have implemented security controls that will result in the secure handling and management of their data. CPA firms conduct SOC 2 audits to confirm that your controls are working as designed. When conducting audits, CPA firms follow guidelines issued by the AICPA to ensure the audit meets the standards for professionalism and independence.

The SOC 2 Audit Process

Define Your Audit Scope

Typically, you want your SOC 2 audit to cover your services or applications that hold, process, or handle your client’s data. Unlike a traditional financial audit, the SOC 2 does not have to cover your entire organization, only the activities within the organization that are relevant to the services you provide.

Identify the Relevant Controls

All SOC 2 audits normally include the common controls identified by the AICPA in the AICPA 2017 Trust Services Criteria. The Trust Services Criteria contains five focus areas:

1. Security
2. Availability
3. Processing Integrity
4. Privacy
5. Confidentiality

All audits include the Security controls or the Common Criteria. Each organization may decide which, if any, of the other focus areas they would like to include in their report.

Organizations may also choose to incorporate other frameworks such as NIST or HIPAA. Decisions on which frameworks and criteria to use should be made with the CPA firm to ensure agreement on your audit approach.

Document the Control Implementation

Once you have identified the controls relevant to your services, document how you will demonstrate compliance with those controls. CompliancePoint recommends you do this in consultation with your CPA or experienced consultants to make sure you provide sufficient information to your CPA firm to evaluate the control implementation and decide on the status of your implementation.

Perform a Readiness Assessment

Before you do your initial audit, conduct a readiness assessment. The readiness assessment should be conducted either by your chosen CPA firm or by experienced assessors who understand the expectations of independent auditors. The readiness assessment should evaluate the status of your control implementation and provide you with detailed results on the implementation status, including documentation of any required corrective actions.

Once you have remediated your gaps you are ready for your audit!

SOC 2 Report Options

Organizations must decide whether to do a SOC 2 Type 1 or Type 2 report. A Type 1 only requires that the controls are in place during the audit. So, if you were being audited as of March 31, all the controls would need to be functional as of that date. A Type 2 audit tests the effectiveness of controls over a period of time, normally ranging from ninety days to one year. Your auditor will pull samples and evaluate evidence that your controls were in place throughout the audit period. While a Type 1 is quicker, your clients may prefer a Type 2 as it shows a long-term commitment to the control implementation.

Getting Started

There are many variables to consider as you make decisions about your audit. One of your first steps should be identifying a partner to assist you with this early in your journey. Early identification of your auditor and any external service providers will help ensure a seamless journey between your Readiness Assessment and your audit.

Look for a partner that takes a collaborative approach and is willing to take part in working sessions to help you clearly define your scope and controls. A partner with a good understanding of your current operations can use your current processes and documentation to satisfy many, if not all, of the selected controls. Leverage your partner’s knowledge and experience to develop a detailed corrective action for controls that need remediation.

The Timeline for SOC 2 Audits

Organizations often start the SOC 2 journey at the request of potential clients and are eager to get that first audit in place. The time required varies depending on whether you choose a SOC 2 Type 1 or Type 2 report as discussed above. Depending on the circumstance, it may be beneficial to perform a SOC 2 Type 1 as a first audit followed later by a Type 2 covering a defined period. The timeline below is just an example, your timeline may be faster or slower depending on your current control implementation, the time it takes to remediate, and the audit period you choose.

CompliancePoint has a full suite of services designed to guide organizations through every step of a successful SOC 2 attestation. Our readiness services are backed by experienced staff, who can help you design controls that will best fit your existing operations. Through our readiness assessment, you will learn what controls you are not satisfying, how to remediate any existing gaps, and what controls lack proper documentation.

Our independent CompliancePoint Assurance (CPA) firm can perform SOC 2 audits for a Type 1 and Type 2 report. Having CompliancePoint prepare your business for the SOC 2 audit performed by our CPA firm will streamline the process, saving you time and money.

Reach out to us at connect@compliancepoint.com to learn more about our SOC 2 compliance services.