Many organizations view SOC 2 audits as a necessary cost of doing business. But the audits actually serve as a competitive differentiator and as a way to strengthen relationships with customers and partners — by demonstrating just how seriously an organization takes security and compliance in order to protect sensitive data. This blog highlights the main areas auditors examine when performing SOC 2 assessments to determine an organization’s state of compliance. The blog also presents ways organizations can prepare for what auditors want to see — technically, operationally, and culturally.
Say the word “audit” to anyone, and they’re likely to make a quick exit from the room. What you plan to say next can’t be pleasant!
But with SOC 2 audits, the experience can actually benefit your business, helping you solidify relationships with your customers and partners. Successfully completing the audit shows them that you take compliance and the protection of data seriously.
A SOC 2 audit generally evaluates an organization’s information security and privacy controls to determine its ability to protect customer data. Many companies looking to outsource services to third-party vendors consider the SOC 2 audit report a standard requirement for establishing partnerships.
As a result, organizations large and small leverage the SOC 2 report as a competitive differentiator that helps them win more deals. And as organizations complete their SOC 2 audit and negotiate with new business partners, they also realize that how they approach the SOC 2 audit and report process is almost as important as the binary state of achieving compliance.
This blog highlights the main areas auditors look at when performing SOC 2 assessments to determine an organization’s state of compliance. The goal is to help you prepare for what they want to see technically, operationally, and culturally.
Defining Your Service and Scoping the Audit
One of the key aspects of a SOC 2 audit is that you need to tell the auditor what your service does and what it does not do. You’ll need to share a complete picture of the service, including all applications, hardware systems (on-premises and in the cloud), data sets, activities, transactions, data exchanges, storage, access control, and logging.
The next step is determining the scope of the SOC 2 audit, driven by the AICPA Trust Services Criteria:
Security – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems.
Availability – Information and systems are available for use to meet the entity’s objectives. This principle refers to information used by the entity as well as products and services provided to customers.
Processing Integrity – System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
Confidentiality – Appropriate controls protect confidential information from collection and creation through final disposition and removal from the entity’s control.
Privacy – Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives. While confidentiality applies to various types of sensitive information, privacy applies only to personal information.
You and your auditor will refer to these principles to determine the scope of your SOC 2 audit. You may choose to comply with only the default principle, Security, or consider adding any of the other four, depending on the posture of your company and contractual obligations. After you agree on the scope, your team will develop and tune policies.
Existence and Implementation of Policies
You will also need to demonstrate that you have defined sufficient policies to meet the operational requirements of the Trust Services Criteria. Take note – it’s not enough to just document the policies; you must also prove you have distributed the policies to employees, including new hires. Another requirement is to confirm, with documentation, that all employees have read and signed off on agreeing to the policies.
But the requirements don’t end there. You need to implement procedures to handle the daily operations that support your policies. And if the environment in which your service operates happens to change, you must update the policies to reflect any changes. And, yes, the signatures – and proof of such – are needed again.
The same holds true for risk assessments, penetration tests, security awareness training, and many other activities performed as part of the collection of policies. Yes, conduct all of these activities as often (or even more often) as required. But, also manage the activities properly. If you uncover a problem, don’t ignore it. Address it with immediate corrective action.
Gap Analysis: Evidence Collection of Implemented Controls to Enforce the Policies
Organizations apply processes and technology to help manage the enforcement of policies. SOC 2 auditors also assess these controls to determine their efficacy against the policies. Sometimes the processes and technology aren’t enough, and people must be involved. The interaction between the people and the technology also needs to be documented for evaluation by the auditor.
Inevitably, you will discover gaps within the people, process, and technology controls you implemented based on the defined scope. Ideally, you want to identify these before initiating the SOC 2 audit. Either close the gaps before they are uncovered by the auditor or devise an action plan for how you will close the gaps at a later date – with a clear timeline. The auditor will want to see this plan and will appreciate that you offered it proactively. Depending on the severity of the gap in relation to the audit, it could delay the report’s completion. However, if you can demonstrate to your prospective business partner, this delay – coupled with an action plan – may be good enough to proceed.
Evaluation, Mitigation Activities and Progress
Often the act of defining policies, implementing controls, and responding to gaps is not enough. Many auditors will want to know HOW and WHEN the activities took place(your customers and partners would be interested in this as well). For example, did you respond to the security awareness training issues straight away when the large pool of employees failed their exams?
As you can see from the above, you really don’t want any surprises. Neither does the auditor, and neither do your customers or partners!
The auditor will look at the above items with the end-result report in mind. Once they view the system and the scope, they will have a fairly clear view of what the report should include and look like. The bar will be set both in their minds and in their auditing system, and it will be your job to help them travel that path to SOC 2 success, with as few hiccups and roadblocks as possible.
Culture of Compliance and Security
When and how you go about security and compliance matters. While your company may meet the letter of the compliance law, many auditors want to get a feel for how companies operate. They will look at how quickly you take care of compliance issues, how you approach the solution to any problems, and how you communicate the status and actions surrounding compliance activities.
If there is any question about your approach to a particular situation, it may lead the auditor to explore further, collect more evidence, and dig deeper. They will want to get a comfort level that you take compliance seriously. If any discrepancies are encountered here, they may want to take more time to dig deeper to put their minds at ease while collecting more evidence to support this mindset.
If the auditors don’t gain appropriate comfort over the operation of your controls, it canmake the audit process more difficult, potentially even jeopardizing the timing or completion of the certification or report.
The Ultimate Payoff: Being Trustworthy
The ultimate goal of any partnership is to be trustworthy. Saying you are trustworthy is one thing. Demonstrating it in a report is another. But living and breathing compliance with SOC 2 is an entirely different animal…this will become the standard on top of SOC 2 reports for many business engagements as many businesses don’t want just the report. They want to experience their partners’ views on security and compliance.
That’s why planning and selecting the right partner to help you with your SOC 2 audit is essential. In addition to evaluating your technology stack for compliance, we can assist in assessing your people and your processes to make sure you’re ready the next time a customer or partner asks for an audit.