“What do you need for a SOC 2 Audit?” Prior to starting a SOC 2 examination, clients often ask us what they can do to ensure an efficient audit process that leads to rendering a clean (unqualified) opinion. Even though we can never guarantee a clean opinion, there are definite “keys” to success that lead to a more favorable outcome when implemented by our clients. Below is a list of what we consider the most crucial factors or “keys” to success.
Executive Sponsorship – This is by far the most important factor. SOC 2 examinations take time and require input and interaction with personnel from multiple departments. In addition, there are often new policies and procedures that may need to be implemented in order to meet the SOC 2 requirements. Without executive sponsorship, personnel might not be granted the additional time, or personnel from different departments might not work well together—and new policies and procedures might not be implemented and followed.
Department Cooperation – As long as there is executive sponsorship, this one should not be too difficult to implement. Typically, SOC 2 examinations require personnel from multiple departments to perform controls and provide supporting evidence. Usually, IT, Security, DevOps, Human Resources, Operations, and the C-Suite are all involved during the SOC 2 examination.
Assign an Internal Employee/Consultant to Lead the SOC 2 Engagement Process – Since multiple departments and personnel will be involved, assigning an internal employee as the project manager, who has sufficient knowledge of the culture and department roles will ensure that communications between the auditor and your personnel are routed to the correct person and not lost. Not only will your employees appreciate this, but the auditor will appreciate not having to contact personnel throughout your company to obtain the information necessary to complete the engagement. The project manager can also ensure that any new controls are implemented or existing controls are properly updated to keep the project on track and completed in a timely manner.
Keep in mind that the lead person does not have to be a security expert and typically isn’t. It definitely helps, but many times, security experts do not have the time to dedicate to “managing” the process and making sure that documentation is provided in a timely manner. Security personnel are definitely an integral part of the process and will be required to gather documentation and respond to the auditor’s questions, but it might not be feasible for them to coordinate the entire SOC 2 examination.
Manage Your Clients’ Expectations – Many times, the requirement for the SOC 2 report originates from client requests. Understanding your clients’ specific needs and when they require a final report in their hands, will drive the timeline for the examination. Clients may request reports be provided on short notice or with little lead time. For organizations that have never undergone a SOC 2 examination before, it typically takes six to twelve months (depending on type 1 or type 2) before a final report is in their hands. Having conversations with your clients early on about deadlines for completing and providing a SOC 2 report will go a long way in ensuring that you are not scrambling at the 11th hour to complete a SOC 2 engagement.
Manage Internal Stakeholders’ Expectations – It is also important to have conversations early on with internal stakeholders to ensure that they understand the rigor that is required in order to complete a SOC 2 engagement. Just like many clients who request a SOC report, many internal stakeholders might have unrealistic expectations for when the SOC 2 report may be in their hands and available for customers. An organization’s sales, business development and client account management personnel will be eager to let customers and prospects know that a SOC 2 report is available for them to review. Communicating with these departments early on is essential so that they don’t overpromise and overcommit to customers and prospects.
Engage a CPA Firm or Consultant to Perform a Readiness Assessment – A SOC 2 readiness assessment is an engagement performed by a CPA firm or consultant before an actual SOC 2 engagement. The readiness assessment will help clients gauge their preparedness for the SOC 2 examination. During the readiness assessment, a gap analysis will be performed and the current control environment will be assessed to determine if any control gaps exist. If control gaps exist, recommendations will be provided to assist with remediation. Without a readiness assessment, there is a higher chance of the SOC 2 engagement resulting in significant control exceptions.
During the readiness, your CPA firm should provide guidance and advice about controls that should be implemented in order to meet the SOC 2 criteria and guidance on how to write the system description.
Schneider Downs has created a proprietary catalog of SOC 2 controls.When performing a readiness, we utilize this catalog to help guide our clients through a readiness engagement.Many of our clients find this useful as it provides them an easy-to-understand list of controls to meet the SOC 2 criteria.Without a catalog of controls, the SOC 2 criteria might seem overwhelming and difficult to interpret for your particular business.In addition, we have a SOC 2 system description template that clients can tailor to their specific control environment.If you are interested in these documents, please feel free to reach out to me directly.
Engage a CPA Firm with Security Qualifications – When selecting a CPA firm, choose a firm with personnel that hold certifications, such as Certified Information System Security Professional (CISSP) or Certified Information System Auditor (CISA), in addition to CPAs. Possessing the CISSP and the CISA demonstrates that the firm understands the SOC 2 reporting framework and security risk management strategies.
Understand the Role of Your Vendors in Meeting SOC 2 Requirements – Vendors might play an integral part in meeting the security requirements for SOC 2. For instance, if your infrastructure resides in a datacenter owned by a third party, then you would expect your third party to have appropriate physical security controls in place for restricting access to your infrastructure. In order to meet the physical security requirement for SOC 2, you would be relying on the third party’s controls to be operating effectively. When this situation occurs, it is your responsibility to appropriately monitor the operating effectiveness of your third-party controls. If your vendor undergoes a SOC 2 examination, then you can monitor your vendors’ controls by obtaining and reviewing their SOC 2 report. However, if your vendor does not have a SOC 2 report available, then your SOC 2 auditor might have to include the vendor in your SOC 2 engagement and test their controls as part of the SOC 2 report. Understanding what will be required from your vendor and communicating what will be required from them, if anything, will enable a more efficient examination process.
Maintain a Culture of Internal Control – To be successful, organizations must realize that maintaining a culture of internal control and security is a top-down mindset. Controls must be implemented with the idea that the controls will be operating continuously, unless changes in the environment require controls to be modified. SOC 2 examinations cover a continuous period of time without any gaps. To show your customers that you prioritize protecting their data, you must ensure that everyone in your organization commits to security as part of their job responsibilities.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.