SOC 2 & Other Frameworks - Part 2 - Concurrent Audits

In my previous article, I discussed the various options for performing other frameworks along with SOC 2, focusing primarily on SOC 2+ reporting. The other (and most common from my experience) option when a client is doing SOC 2 and another framework is performing both engagements in parallel, but issuing two separate reports. It has some common procedures as doing SOC 2+ engagement, but does not require a lot of the additional testing, expanded scope, and other reporting aspects that a #SOC2+ requires (see my previous article for more info).

Performing a #SOC2 audit in conjunction with other audits can be a complex but manageable process. It requires careful planning, coordination, and expertise to ensure that all requirements are met efficiently and effectively. Here are steps to help with the performance of a SOC 2 audit alongside other audits:

1. Identify Applicable Frameworks:?Determine which frameworks are relevant to the client. For example, in addition to SOC 2, you might be dealing with GDPR, HIPAA, ISO 27001, FedRAMP, FISMA, or other industry-specific regulations.
2. Understand the Scope:Clearly define the scope of each audit to understand what systems, processes, and data are subject to review under each framework. It is critical to determine if the system environment is the same for the two frameworks.? Sometimes, especially with government vs. commercial customer systems, these systems are actually separate for where they are hosted, how they are managed, etc.? So, performing a combined audit would not work as effectively.
3. Engage a Skilled Team: Assemble a team of auditors with expertise in each relevant framework. They should understand the specific requirements and nuances of each audit. At a minimum, the more senior personnel should understand the specific frameworks.? More junior personnel (who might be doing the control testing itself), are more likely to be able to “do once use many” because their testing of say, change management, can be used in both sets of workpapers.
4. Assess Overlapping Controls: Determine which framework will be the “baseline” of controls. Typically, a client will determine the “high water mark” for their control set (what is going to be the most difficult to achieve), then identify controls that are common to multiple frameworks. These common controls can be assessed once and applied to all relevant audits, reducing duplication of effort.? For example, if you’re doing FedRAMP and SOC 2, the client is likely going to use NIST 800-53 as their control baseline, then they can determine which controls from NIST 800-53 meet the in-scope SOC 2 criteria.
5. Prioritize Critical Controls: Focus on controls and requirements that are critical to all compliance frameworks. Ensure that these are adequately addressed and tested.
6. Coordinate Audit Timelines: Plan the audit schedules to ensure minimal disruption to the client’s operations. This might involve coordinating the calendars of different stakeholders to make sure the audit teams are meeting with, say, HR at the same time to get all of the framework’s questions answered.
7. Perform Testing and Assessments: Conduct testing including technical testing, interviews, walkthroughs, sample testing, and document reviews. Consider the test steps for controls that overlap. Which walkthroughs are shared?? Which sample tests can be shared (and what should the sample method and size be based on the high watermark of the frameworks involved)? How will the control writeups be shared?
8. Leverage Shared Documentation: Use shared documentation and evidence where possible. For example, risk assessments, security policies, and incident response plans may apply to multiple framework requirements. Also consider using shared testing or walkthrough documentation (e.g., the SDLC process is likely to be the same walkthrough and testing for both frameworks).
9. Manage Findings and Remediation:Consolidate findings and prioritize remediation efforts across all audits (if applicable - for example, in SOC 2 Type 2, since it tests operational effectiveness in the past, remediation will not change the reporting of exceptions/findings). Ensure that corrective actions address deficiencies identified by all applicable frameworks.
10. Reporting:Prepare separate audit reports for each framework, clearly outlining findings, recommendations, and compliance status (where applicable).
11. Certifications and Attestations:If applicable, issue certifications or attestations for each compliance framework separately.
12. Maintain Independence and Objectivity:Ensure that the auditing process remains independent and objective. Avoid conflicts of interest, especially if the same audit team is working on multiple audits.
13. Engage with Stakeholders:Communicate regularly with stakeholders, including the organization's management and compliance officers, to provide updates on audit progress and findings.
14. Continuous Monitoring (if applicable):After completing the initial audits, establish a system for ongoing monitoring and compliance management to ensure ongoing adherence to all frameworks (see FedRAMP requirements).
15. Documentation and Record Keeping:Maintain comprehensive documentation of all audit activities, findings, and remediation efforts for each framework separately.
16. Audit Follow-up (if applicable):Conduct follow-up audits as necessary to verify that remediation efforts have been successful, and that the organization remains in compliance.
17. Stay Informed:Keep abreast of changes in regulatory requirements and compliance frameworks to ensure ongoing compliance.

The pros and cons of performing SOC 2 concurrently with other frameworks

Pros

• Efficiency gain for both client and auditor once frameworks and commonalities are determined for controls and testing
• Allows more flexibility between frameworks (where the requirements of one won’t always impact the other – see my previous article for more detail)
• Findings/exceptions don’t necessarily affect the other report if the finding is not related to the other framework
• Longer reporting or delays won’t affect the other report (for example, FedRAMP SARs are issued after POA&Ms are completed, but that won’t delay the SOC 2 report)
• Customer of the client only gets the report that they are interested in

Cons

• Have to issue and provide to customers two separate reports if they are interested in both
• Two different reports will have to undergo quality review, adding review time to the engagements
• Potential for separate contracting with client
• Longer time that the reporting is “open” for both client and auditor

Performing multiple audits concurrently can be challenging, but it can also lead to efficiency and cost savings for the client. Effective coordination, prioritization, and shared resources can help auditors and organizations manage the process more smoothly.

At Fortreum , we have worked hard on our audit coordination efforts, specifically our FedRAMP & SOC? efforts. With proper planning and team effort, we have made our clients very happy by satisfying their various compliance efforts.? Reach out to learn more!

Hey #cpafirms! ?? If you have clients that you are doing SOC work for, but are in need of FedRAMP help, Fortreum can work with you! As a top #3PAO in the FedRAMP program, we have staff that understand FedRAMP in-depth, but also have an understanding of what your firm would need for SOC. 4

We want to be a partner you can trust. Our team can work with you to coordinate efforts and share resources and documentation, all while ensuring your client stays within a trusted network with trusted advisors. Give us a shout to work with us!