How Secureframe can help

According to a recent System and Organization Controls (SOC) survey conducted by the American Institute of Certified Public Accountants (AICPA), the increasing awareness of the importance of IT security at third parties has led to an almost 50% increase in the demand for SOC 2® engagements.

As more customers and business partners value SOC 2 engagements as part of their third-party risk management efforts, your service organization can expect a request for a SOC 2 report.

Offering flexibility without sacrificing security rigor, SOC 2 is one of the most common security frameworks in North America. However, complying with SOC 2 requires a comprehensive audit of your organization’s systems, processes, and controls. Preparing for such an undertaking is no easy feat.

To help, we’ve created a checklist of pre-audit steps you can take to maximize your chance of passing that audit and gaining the ability to say you’re SOC 2 compliant. You can download it below or keep reading to get a detailed overview of each step.

What is a SOC 2® audit?

A SOC 2 audit is the process you undergo to see if your organization’s control set meets SOC 2 compliance requirements. SOC 2 compliance requirements consist of five trust service criteria (TSC) developed by the AICPA: security, availability, processing integrity, confidentiality, and privacy. 

Previously referred to as Trust Services Principles, these criteria offer a framework for evaluating a service organization’s controls relevant to information and systems for SOC 2 compliance.

Why get a SOC 2 audit?

Passing a SOC 2 audit means you’re compliant with whichever trust services criteria you specified. This can help reassure customers that you have the necessary controls in place to protect their data, which may unblock deals, accelerate your sales cycle, and help you move upmarket. 

A SOC 2 report can therefore be a powerful marketing tool, showing prospects, customers, business partners, and other key stakeholders that you’re serious about data security.

Making this commitment to data security and getting a SOC 2 report requires a significant investment of time, money, and organizational resources. 

Let’s take a closer look at the steps an organization must take on its SOC 2 compliance journey below.

Your 8-step checklist to prepare for and pass your SOC 2 audit

Achieving SOC 2 compliance is not as simple as undergoing an audit. It requires you to implement controls to meet any relevant trust services criteria, identify gaps, and close them before the audit. Even when controls are in place, you must ensure your team adopts best practices for information security to maximize your chances of passing the audit. These preparations don’t happen overnight — they can take several weeks to several months.

To help simplify the process, we created an 8-step checklist for becoming audit-ready.

1. Select your report type

To start, you’ll have to select the type of SOC 2 report you want. There are two types:

• Type 1: Evaluates the design effectiveness of controls at a single point in time.
• Type 2: Evaluates the design and operational effectiveness of controls over a period of time (usually between 3 to 12 months).

In other words, Type I assesses how well you designed controls whereas Type 2 more accurately measures controls in action.

Since Type 1 only analyzes design effectiveness as of one date, it’ll be less time and resource-intensive. While Type 2 is more intensive, it carries more weight for how well your controls are designed and their operational effectiveness — both of which are more marketable. Given this increased rigor, customers typically prefer to see Type 2 reports.

Which one you select depends on what your customers are asking for, but as a general rule of thumb pick Type 2 if you care more about how well your controls function in the real world. If you’re more concerned with simply having well-designed controls and would like to save resources, pick Type 1.

2. Determine your SOC 2 audit scope and objectives

The next part of preparing for your SOC 2 audit is defining the scope and objectives. 

SOC 2 audits look at infrastructure, data, people, risk management policies, and software, to name a few items. You must determine who and what within each of these categories will be subject to the audit. 

Next, define what the objectives are for the in-scope systems or services. In others, what have you told your customers these systems or services will do? You can typically find this information in contracts, service level agreements, or published collateral (like your company website).

3. Select your trust services criteria

SOC 2 audits evaluate your controls within the audit scope mentioned earlier against the trust services criteria set out by the AICPA. 

Recall that five trust services criteria make up the SOC 2 compliance requirements:

• Security: Protecting information and systems against unauthorized access, disclosure of information, or other mishandling/damage.
• Availability: Information and systems can meet your organization’s service objectives — such as those laid out in service-level agreements — and are available for operation.
• Processing integrity: Your systems perform their functions completely, accurately, validly, timely, and in a way that meets your organizational objectives.
• Confidentiality: You collect, use, retain, disclose, and dispose of non-personal data and information properly.
• Privacy: You collect, use, retain, disclose, and dispose of peoples’ personal information properly.

Fortunately, you don’t have to undergo an audit for all five at once. The only mandatory principle is security, and the others are recommended depending on your business. For instance, if you carry a lot of personal or sensitive data it would make sense for your organization to include privacy or confidentiality.

If you’re short on resources for the audit, pick criteria alongside security that offer the highest potential ROI or those you’re close to achieving without much additional work. 

You can go for all five at once if you’re able; just keep in mind that the audit scope and cost will increase with each trust principle you add.

8. Find a SOC 2 auditor

Since the AICPA created the SOC security guidelines, any CPA firm can perform your audit for you. 

However, you’ll want to pick a CPA firm that specializes in information systems.

If you currently work with a firm that lacks CPAs with information systems knowledge and experience, your best bet is to hire a different firm for the audit. Your current firm may be able to provide some advice on preparations, but engaging with a firm that specializes in information security work will increase your chances of passing the audit. 

It’s worth noting that because there’s no formal certification, hiring a CPA firm with more SOC 2 experience can bring more prestige to the end result, maximizing your reputation among customers. 

That said, you will have to pay more for a more renowned firm.

Now you’re ready to undergo the audit. Let’s take a look at what the process is like below.

What is the SOC 2 audit process?

Understanding what to expect during the audit process can also help it go more smoothly. While each auditor may have a slightly different process depending on the technology they use, the size of the organization being audited, and other factors, here’s the general process:

1. The security questionnaire

Many auditing firms start by administering a questionnaire to you and your team. 

This contains many questions regarding company policies, procedures, IT infrastructure, and controls. 

Getting your team into good security habits as early as possible before the audit helps out here. They’ll be able to answer questions with confidence.

2. Gathering evidence of controls

Next, auditors will ask your team to furnish them with evidence and documentation regarding the controls within your organization. 

You need proof of every policy and internal control to demonstrate that things are up to par. The auditors use this as part of their evaluation to understand how controls are supposed to work.

A compliance automation tool can also automate this process so you don’t have to waste valuable time compiling evidence in spreadsheets, taking screenshots, and more.

3. Evaluation

During the evaluation, the auditors might ask the owners of each process within your SOC 2 audit scope to walk them through your business processes to understand them better. 

4. Follow-Up

SOC 2 audits are intensive. As a result, auditors often uncover matters for which they need more evidence, despite all the prep work. 

They may ask your team for clarification on processes or controls, or they may want additional documentation. 

In some cases, if the auditor notices obvious compliance gaps that can be fixed relatively quickly, they could ask you to remedy those before proceeding. 

The auditors will document their visit as well, just in case further follow-up is needed.

5. The SOC 2 report

When the audit concludes, the auditing firm will issue you a SOC 2 audit report. 

There is no formal SOC 2 certification. Instead, the main portion of the report contains the auditor’s opinion regarding the effectiveness of your internal controls as they pertain to your specified trust principles.

There are a few types of opinions they may offer:

• Unmodified (or Unqualified) opinion: No material inaccuracies or flaws in systems. This is your goal.
• Qualified opinion: There are material misstatements in system control descriptions, but they’re limited to specific areas. 
• Adverse opinion: There is sufficient evidence that there are material inaccuracies in your controls’ description and weaknesses in design and operational effectiveness.

Hopefully, your hard work pays off, and you get a SOC 2 report with an unmodified opinion for every trust criteria you chose.

How Secureframe can help you prepare for and pass your SOC 2 audit

Without the right technology and expertise, preparing for a SOC 2 audit will take a significant investment of time, money, and mental energy. 

Secureframe’s compliance automation platform, paired with an in-house team of compliance experts, can help streamline the entire process. With Secureframe, you can:

• Automatically collect evidence, test it against SOC 2 requirements, and share with your auditor in a secure Data Room
• Continuously monitor your tech stack and get alerts for threats and non-conformities to easily maintain SOC 2 compliance year after year
• Speed up time-to-compliance for other frameworks, including ISO 27001, PCI DSS, and HIPAA
• Save time on policy creation with our library of auditor-approved policy templates
• Conduct third party risk management and vendor compliance efforts using Secureframe’s risk and vendor modules
• Get expert, end-to-end support from compliance experts and former auditors throughout the entire process

As a result of these capabilities and more, 95% of Securframe users said they saved time and resources obtaining and maintaining compliance in a survey conducted by UserEvidence.

Request a free demo today to learn more about how Secureframe can simplify SOC 2 audit preparation.