How to prepare for a SOC 2 audit
A SOC 2 audit makes sure that an organization’s non-financial reporting controls comply with the Trust Services Criteria. When in compliance, you show that you’re maintaining the security, availability, processing integrity, confidentiality, and privacy of a system. It’s important to demonstrate that you’ve earned your customers’ trust, so you must prepare for a SOC 2 audit carefully.
In this blog post, we’ll explain how to prepare for a SOC 2 audit in five steps.
Step 1: select the reporting period for your SOC 2 audit
The reporting period for your SOC 2 report depends on what kind of SOC 2 audit you choose. There are two types: Type I and Type II.
A Type I SOC 2 audit is a snapshot; you look at a moment in time. Type II SOC 2 audits, on the other hand, evaluate your compliance over a period of six months or longer.
Which type of audit should you choose? That depends on what type of certification you want. If you want the Type II certification from the outset, then you’ll look at longer periods of time.
Step 2: Determine the Controls You Need to Evaluate
To prepare for a SOC 2 audit, you also need to figure out which controls you’ll evaluate. There are five trust service principles outlined by the AICPA (the organization that developed SOC 2):
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy>
Evaluating security is mandatory; the other four controls are optional. Which ones should you assess in your audit? It depends on what matters most to your customers.
For example, if you only store data for customers, you want to look at your availability. Processing integrity wouldn’t be important. If you’re in the healthcare space, confidentiality and privacy are critical.
Step 3: gather all your documentation
Your documentation shows everything you’re doing to maintain AICPA’s trust service principles. What do we mean by “documentation”?
“Documentation” is anything you have written down that shows what you’re doing, how you’re doing it, and proof that you’ve done it. For example, security policies are evidence of what you’re doing. Written procedures show how you’re putting those policies into place. Supporting documentation (which might be printed reports after procedures are carried out, or emails showing that something has been done) serve as proof.
A few words on documentation
You need to have these policies, procedures, and proof in place before you prepare for a SOC 2 audit. Documentation can’t be performed on an ad hoc basis.
Moreover, your SOC 2 compliance documentation should be organized and easy to find. Storing it in several different places makes the documentation gathering process take longer. Using a document manager (such as Norton or the G Suite) helps, as does having a well-maintained spreadsheet. However, a spreadsheet can’t scale, nor can it update on its own.
SaaS management software with robust IT automation and integration solves that problem. A good SaaS management solution updates itself continuously (unlike a spreadsheet). Additionally, market-leading workflow software keeps track of changes and tasks, so you can easily produce supporting documentation for an audit.
Step 4: perform a gap analysis
“Gaps” refer to differences between where you are and where you want to be. Running a gap analysis looks at what those gaps are and how to bridge them.
To run a gap analysis so you can prepare for your SOC 2 audit, assess where you are with the SOC 2 controls you’ve chosen to evaluate. Are you maintaining the availability of information for your clients, or do you need to improve that? Where are you at with data security?
Next, think about where you want to be. Obviously, everyone wants to be doing the absolute best they can – 100% uptime, zero data breaches, no processing errors. Yet, you also need to be realistic. How long will it take you to achieve your target? Can you meet that goal in a year, or will it take you longer?
Following that, identify what gaps exist. For example, if you want to be at 100% uptime for data availability, but you’re currently at 80% uptime, your gap is 20%.
Gap identification represents a great opportunity to figure out why the gap exists in the first place. What’s stopping you from 100% uptime? You might have to do quite a bit of digging to answer those questions. Yet, it’s worth it to figure out what’s holding you back.
Finally, you need to come up with a plan to close those gaps. Base the plan on the information you discovered during gap identification. For example, if it turns out your admins are too busy with other tasks to ensure uptime, you need to figure out a way to free up their time. Also, think about the cost to implement each solution. How much will it cost for your admins to ensure 100% uptime? Will you need to outsource their current workload? Then, determine when you want to close those gaps by, and what milestones will mark the process.
Step 5: meet with your auditor
Meet with your auditor to prepare for a SOC 2 audit. Only certified public accountants (CPAs) can perform a SOC 2 audit.
SOC auditors must adhere to standards established by the AICPA. They have to follow guidelines for planning, executing, and supervising audits. Additionally, peers should review auditors’ work to make sure that their audits meet standards.
CPA firms might also employ non-CPA professionals who have relevant security and IT skills. They can prepare a SOC 2 audit.
When you meet with your auditor, bring all of your documentation. Take the time to organize the documentation – you don’t want to make your auditor’s life more difficult.
If you’re not already working with an auditing firm, search for one that has experience in SOC 2 audits as well as a good reputation. Ultimately, their findings affect your good name.