SOC 2 Audit: Keys to Success

Prior to starting a SOC 2 audit, clients often ask what they can do to ensure an efficient audit process that leads to the rendering of a clean audit opinion. Even though we can never guarantee a clean opinion, there are definite “keys” to success that lead to a more favorable outcome when implemented by my clients. Below are the top “keys” to success that when implemented, enhance the efficiency of the SOC 2 audit process and increase an organization’s chances of obtaining a clean SOC 2 report.

• Executive Sponsorship – This is by far the most important factor. SOC 2 audits take time and require personnel from several departments. In addition, new policies and procedures will more than likely need to be implemented in order to meet the SOC 2 requirements. Without executive sponsorship, personnel might not be granted the additional time, or personnel from different departments might not work well together—and new policies and procedures might not be implemented and followed.
• Department Cooperation – As long as there is executive sponsorship, this one should not be too difficult to implement. Many times, SOC 2 audits require personnel from several departments to perform controls and provide evidence for the audit. Typically, IT, Security, DevOps, Human Resources, Operations, and the C-Suite are all involved during a SOC 2 audit.
• Assign an Internal Employee/Consultant to Lead the SOC 2 Audit – Since several departments and multiple personnel will be involved, assigning an internal employee with sufficient knowledge of the culture and department roles will ensure that communications between the auditor and your personnel are routed to the correct person and not lost. Not only will your company appreciate this, but the auditor will appreciate not having to chase down several different people at your company. The lead person can also ensure that projects implementing new controls or updating existing controls are kept on track and completed. Keep in mind that the lead person does not have to be a security expert and typically isn’t. It definitely helps, but many times, security experts do not have the time to dedicate to “managing” the audit and making sure that documentation is provided in a timely manner.  Security personnel are definitely an integral part of the audit process and will be required to gather documentation and respond to the auditor’s questions, but it might not be feasible for them to coordinate the entire SOC 2 audit.
• Manage Your Clients’ Expectations – Many times, the driver of the SOC 2 audit originates from client requests. Understanding your clients’ specific needs and when they require a final report in their hands, will drive the timeline for the audit. Clients may request reports to be provided on short notice or with little lead time. For organizations that have never undergone a SOC 2 audit before, it typically takes six to twelve months (depending on type 1 or type 2) before a final report is in their hands. Having conversations with your clients early on about deadlines for completing and providing a SOC 2 report will go a long way in ensuring that you are not scrambling at the 11th hour to complete a SOC 2 audit.
• Manage Internal Stakeholders’ Expectations – It is also important to have conversations early on with internal stakeholders to ensure that they understand the rigor that is required in order to complete a SOC 2 audit. Just like many clients who request a SOC, many internal stakeholders might have unrealistic expectations for when the SOC 2 report will be in their hands and available for customers. An organization’s sales, business development and client account management personnel will be eager to let customers and prospects know that a SOC 2 report is available for them to review. Communicating with these departments early on is essential so that they don’t over promise and/or over commit to customers and prospects.
• Engage a CPA Firm or Consultant to Perform a Readiness Assessment – A SOC 2 readiness assessment is an engagement performed by a CPA firm or consultant before an actual SOC 2 audit engagement. The readiness assessment will help clients gauge their preparedness for the SOC 2 audit.  During the readiness assessment, a gap analysis will be performed and the current control environment will be assessed to determine if any control gaps exist. If control gaps exist, recommendations will be provided to assist with remediation. Without a readiness assessment, there is a higher chance of the SOC 2 audit resulting in significant control exceptions. During the readiness, your CPA firm should provide guidance and advisory about controls that should be implemented in order to meet the SOC 2 criteria and guidance on how to write the system description.  Schneider Downs has created a proprietary catalog of SOC 2 controls. When performing a readiness, we utilize this catalog to help guide our readiness engagement. Many of our clients find this useful as it provides them an easy-to-understand list of controls to meet the SOC 2 criteria. Without a catalog of controls, the SOC 2 criteria might seem abstract and difficult to interpret for your particular business. In addition, we have a SOC 2 system description template that clients can tailor to their specific control environment. If you are interested in these documents, please feel free to reach out to me directly.
• Engage a CPA Firm with Security Qualifications – When selecting a CPA firm, choose a firm with personnel that hold certifications, such as the Certified Information System Security Professional (CISSP) and the Certified Information System Auditor (CISA), in addition the to the CPA. Possessing these licenses will demonstrate that the firm understands the SOC 2 reporting framework and security risk management strategies. 
• Understand the Role of Your Vendors in Meeting SOC 2 Requirements – Vendors might play an integral part in meeting the security requirements for SOC 2. For instance, if your infrastructure resides in a data center owned by a third party, then you would expect your third party to have appropriate physical security controls in place for restricting access to your infrastructure. In order to meet the physical security requirement for SOC 2, you would be relying on the third party’s controls to be operating effectively. When this situation occurs, it is your responsibility to appropriately monitor the operating effectiveness of your third-party controls. If your vendor undergoes a SOC 2 audit, then you can monitor your vendors’ controls by obtaining and reviewing their SOC 2 report. However, if your vendor does not have a SOC 2 report available, then your SOC 2 auditor might have to include the vendor in your SOC 2 audit and test their controls as part of the SOC 2 audit. Understanding what will be required from your vendor and communicating what will be required from them, if anything, will enable a more efficient audit.
• Maintain a Culture of Internal Control – To be successful, organizations must realize that maintaining a culture of internal control and security is a top-down mindset. Controls must be implemented with the idea that the controls will be operating continuously unless changes in the environment require controls to be modified. SOC 2 audits cover a continuous period of time without any gaps. To show your customers that you prioritize protecting their data, you must ensure that everyone in your organization commits to security as part of their job responsibilities.

I perform many SOC 2 audits and have helped many organizations prepare for SOC 2 audits. I hold a CPA, CISSP and CISA. If you are interested in discussing SOC 2 audits, please do not hesitate to contact me at [email protected] or 412-697-5238.