Interview with a SOC 2 Auditor: Common Misconceptions About SOC 2 Audits
If you’re preparing for your first SOC 2 audit, the process can be intimidating. You want all of your ducks in a row before your auditor begins work on your report, but making sure every policy and document is in order can be stressful.
To help companies prepare for a successful audit, we interviewed experienced SOC 2 auditor Ryan Johanson, owner of Johanson Group LLP. Johanson shared his insights into common misconceptions SOC 2 newcomers have about the audit process, as well as his top tips for a successful audit.
What sets Johanson Group apart?
We pride ourselves on our communication. Every client knows how important they are: we offer flexible audit start dates, kick-off calls, and follow-up communications. We make sure our clients understand exactly what’s needed so that everything is in place when the audit begins.
We’re also dedicated to an efficient process. We find that Secureframe does an amazing job of preparing clients during the pre-audit check, so when we come in there are maybe 1-2 additional questions that their customer support team can answer without clients even having to be involved. It’s typically 4-6 weeks from when they tell us they’re audit ready to a completed report.
Can you walk us through the SOC 2 auditing process for Johanson Group?
Once a client passes their pre-audit check in Secureframe, we open their Secureframe instance, collect their policies, procedures, and evidence, add it to our auditing software, and begin the audit. We may have a few additional questions or evidence requests that we either send to the client or work out with their Secureframe customer support.
Next we’ll send a draft report for the customer to review, along with management representation letters. Then we’ll issue the final report. The last few steps happen pretty quickly — typically within one business day.
What are the most common mistakes and misconceptions you see from companies during the audit process?
The biggest mistake we see is not taking the audit seriously or trying to cut corners. Simply put, there aren’t any corners to cut. Everything is important, so you need to find a way to make SOC 2 requirements fit the way your business is running.
Oftentimes we see clients that try to avoid putting all of the policies in place, or they want to skip the vulnerability scan or background checks. You have to do the work to make yourself secure.
The other common misconception is that auditors are there to find exceptions or make sure you fail. Nothing could be further from the truth! We’re there to help you through the SOC 2 process and see you succeed. Of course, we’ll do a thorough audit and make sure you’re compliant, but we’re not there to try and trip you up.
What advice do you have to help companies be successful working with an auditor?
Communication is so important. Each business runs differently, and not all controls or template policies may apply to a company — especially small companies. With a two-person company, for example, the traditional code review process isn’t very applicable. So you need to come up with a different way to make sure code is properly reviewed before being released into production.
In cases like these, make sure you’re talking with your auditor ahead of time to verify that they’re comfortable with a policy being changed. When the audit starts you won’t be stuck with a policy that doesn’t effectively cover the tenets of SOC 2.
My other main piece of advice is to start early. The SOC 2 compliance process takes longer than you think it does, even for small teams. It takes time for you to get your whole company on board, for you to properly prepare policies and evidence, and then there’s a minimum audit period of three months for most audit firms, Johanson Group included. You need to bake that audit window into your SOC 2 timeline.
Ready to automate your SOC 2?
Now that you have a better understanding of what SOC 2 auditors look for, you’ll be able to better prepare and go into your audit confidently.
Our compliance automation platform makes it easier and faster to achieve SOC 2 compliance. We help organizations of all sizes write policies, train their staff, collect evidence, and monitor their security posture. Request a demo to see how Secureframe can help you get SOC 2 audit-ready in weeks, not months.