5 Tips on Conducting An Initial SOC 2 Audit
Tip#1: Start simple
Assuming a company’s management already knows what the SOC 2 audit is, it is always recommended to begin initial SOC 2 certification simple. For any SOC 2 engagement, there are two basic parameters: common criteria and period. In modern age, Security is the basic common criteria that evaluate effectiveness of controls to achieve related system objectives. Subsequently, as the company matures, the company could always add additional trust service criteria to the SOC 2 report. Secondly, the company would require deciding which period the SOC 2 report should cover. For that the management should choose which of the two types of SOC 2 would help the company achieve system objectives. Type 1 tests design of internal control environment as of a particular day. Type 2 tests design and operating effectiveness of organizational controls as of a particular period usually covering from one quarter up to a full year. For further details on the main differences of Type 1 and Type 2 report please see our earlier publications.
Tip#2: Understand and Develop Internal Control Environment
Whether the organization decides to focus only on Security or extend other applicable trust service criterion, or its customers demand specific trust service criteria to be included in the report, we strongly recommend to review AICPA 2017 Trust Service Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy. This set of criteria provide with the structure of the COSO framework on which it is based and focus points for each trust service criteria (TSC or TSP). These focus points could be used as a guide in the process of developing of internal rules. Properly aligning AICPA set of criteria and focus points with the company’s system objectives will help the management successfully understand and develop the organization’s internal control environment. Selection of trust service criteria and building a proper control environment is an important process as it defines the SOC 2 scope from the beginning and help avoid unnecessary complications during the audit phase.
Tip#3: Prepare for the Audit
Once the organization decides to proceed with SOC 2 process, we recommend performing the following preparation prior service auditors’ involvement:
- Compliance Lead or Team. Depending on the size of organization, there should be appointed an internal compliance lead or form an internal compliance team. A compliance lead will be the main go-to person for the Service Auditors for the audit coordination and staff interviews. An ideal compliance lead/team knows the internal control environment, understands the services/products and core technology, and possesses good project management skills.
- Prepare documents that will support the controls. To name a few, the company should have the following documentation ready:
- Organizational Structure;
- Code of Conduct;
- Policies and Procedures;
- Reports and Approvals;
- System Settings;
- Cryptography Protocols;
- Data Backups;
- Vendor Agreements;
- Client Agreements; etc
Depending on the SOC 2 type, these documents should be up to date. So, align compliance documentation to support organizational controls and update them if necessary.
- Other SOC 2 Components. Besides selection of trust service criteria, defining the period, and developing internal control, there are other components that require preparation.
- Description of the Organization’s Systems that are at the core of delivering services/products to its customers. System description should be aligned with the objectives the system is designed to achieve and claims made to the company’s customers.
- Complementary sub-service organizations controls (CSOC) should be aligned with the company’s internal control environment. When the company uses services of third-party vendors to deliver its services to clients, then CSOC should be included into the SOC 2 report. Think of CSOC as what controls the company’s vendors should have to keep the company’s security environment in compliance.
- Complementary User Entity Controls (CUEC). These are the controls that the company’s clients need to maintain in their organizations to complement the company’s controls for a secure usage of the system/services provided.
- Communication Channels. Setting communication channels with all relevant parties is essential. Email and Video Conferencing tools are the basics. Additionally, the company might require provisioning consultants and auditors with access to a cloud data share folder, setup a secure VPN access, and/or give access to a compliance software. Preparing this before hand will allow to kick-off the audit and onboard independent service auditors faster.
- Compliance software (Recommended). Consider using a compliance software solution to streamline the company’s SOC 2 process. By automating SOC 2 processes, a compliance software helps organizations to prepare for the audit faster and efficiently.
Tip#4: Self-assess SOC 2 Readiness
Below is a high-level checklist that helps the company run high-level self-assessment of SOC 2 Readiness. Each point in the checklist could be broken down into a more granular level with specified details of organizational control environment. The aim of this post is to put the management into a right direction in the company’s SOC 2 journey and help quickly assess whether the organization is ready for the SOC 2 audit:
- All internal controls are written up and up-to-date;
- Policies, procedures, and other internal documentation are implemented;
- Staff members are aware of the control environment and properly trained to follow the procedures;
- The compliance team is ready;
- System description and objectives are ready;
- Complementary third-party, both vendors and clients, controls are considered;
- Communication channels set up.
If the company wishes to run detailed readiness assessment, there are two options: hire risk advisory consultants or get an automated compliance software, as recommended above. The selection of either options would depends on the availability of the company’s resources and timeline and budget.
Tip#5: Engage the Independent Auditor
Finally, last step in the pre-audit phase is to find Independent Service Auditors. This is an important process as the engagement is going to be recurring for the years to come, hence the management would want to make a right choice right away. Do the research on Audit Firms from Big 4 up to mid market Firms who might be a better value for the cost of their service. We suggest basing main criteria selection on Pricing, Reputation, Experience, Availability, and Approach. Logo or the brand color of an auditor does not play a big role as soon as the organization is confident on competence and objectivity of their auditors.
Contact us if you need more guidance. We look forward to hearing form you soon and wish best of luck in SOC 2 journey.