Once you’ve decided to pursue a formal SOC 2 report, you’ll need to start the audit process.
How do you do a SOC 2 audit? How long does a SOC 2 audit take? How should you prepare, and who needs to be involved?
While every company is unique and each audit is different, the SOC 2 audit process does follow a typical series of steps.
Step 1: Choose Your Report Type
Before you invite an auditor to your office, your first step is to decide what type of SOC 2 attestation report your service organization needs.
- SOC 2 Type I: This is a type of audit that checks whether your systems are designed according to the Trust Services Criteria (formerly Trust Services Principles).
Type I audits are relatively cheap and easy (they can easily be done in under a month) but they provide less complete information. Think of a kid who cleans his room an hour before he knows his parents will inspect it. The room may be clean, but there’s no evidence that best practices are being consistently followed.
- SOC 2 Type II: A type 2 audit examines how your systems are designed AND whether they work.
A Type II SOC report takes longer (up to a year) because the auditor needs to run experiments on your information systems. But once you pass, there’s no doubt about your level of compliance and security standards.
Choose your audit type based on your budget and level of urgency.
Step 2: Define the Scope of Your Audit
First, decide if you will pursue a SOC 2 at the company level or for a specific service.
Next, decide the period of time your audit will cover. The American Institute of Certified Public Accountants (AICPA) recommends at least six months for Type II audits.
Finally, select the Trust Services Criteria you’d like to audit for. Remember, you don’t need to become compliant with all five TSC if you don’t want to. You can start with just Security, go for all five TSC at once, or perform as many as you can afford.
If your firm has limited resources, you may consider pursuing the TSC you’re closest to achieving. Or, pursue those with the most potential value based on your company and industry.
Specific industries may also want to opt for certain TSC. For example, healthcare firms must comply with HIPAA, so going for Privacy on top of Security can be a good choice.
After choosing your reporting period and TSC, determine which information security controls and systems are relevant. Then gather all documentation about these systems and controls.
During your audit, the auditor will review this documentation along with your systems and controls to determine operating effectiveness. Documents you may need to provide include:
- Asset inventories
- Change management information
- Equipment maintenance records
- System backup logs
- Code of conduct and ethics policies
- Business continuity and incident response plans
Step 3: Conduct a Gap Analysis
Now that you have all your systems, controls, and documents in place, you have to compare where you stand with what SOC 2 compliance requires.
This gap analysis allows you to identify any areas where your system falls short in protecting customer data. That way you can create a remediation plan to bring them in line before your formal SOC 2 audit.
Step 4: Complete a Readiness Assessment
As part of your preparation, you can bring in a SOC auditor to answer any questions or concerns. The auditor can also perform a readiness assessment.
During the readiness assessment, the auditing firm will perform its own gap analysis and give you some recommendations. They’ll also explain the requirements of the Trust Services Criteria you’ve selected. You’ll need to get familiar with the TSC and be able to answer questions like:
- “How is my system protected against attacks?” (Security)
- “How do we decide when to make sensitive data from the system available?” (Availability)
- “Does the system work the way it needs to?” (Processing integrity)
- “How do we ensure the system keeps private information safe?” (Privacy)
- “When information must be shared, what keeps the exchange secure?” (Confidentiality)
At the end of the readiness assessment, the auditing firm will give you a report. This report explains which controls would end up in your final SOC 2 audit report. It also explains how they are relevant to your chosen TSC and what gaps might prevent you from meeting them.
Step 5: Select an Auditor
Now all of the preparation work is complete and it’s time for your audit to begin. First, you’ll need to find an accredited CPA who can perform a SOC 2 audit and issue your company a formal report.
Make sure the firm you select is AICPA-affiliated and conduct audits based on the latest AICPA guidelines.
Here are a few other factors to consider when choosing a CPA firm:
- Level of Experience: Find a team that’s performed SOC audits for companies in your industry and of a similar size. Ask for peer reviews to learn more about other companies’ experiences.
- Length of Engagement: Make sure you and your auditing firm are on the same page about the type of report you’re pursuing and the timeframe for the evaluation. In particular, make sure to discuss the timing of the auditor’s on-site evaluation.
- Process: Your auditing firm should be able to clearly explain its process for conducting the audit and issuing a report. Do they have an online portal used to upload evidence, or are they relying on Google Drive and Dropbox? Does their system allow you to check in on progress and assessments in real time? Understanding how you’ll be working together and communicating with each other will help ensure a good fit.
- Personality: Unless you’re pursuing a Type I report, you’ll likely be working with your auditing firm for at least 6 months. This includes time spent on-site at your office. As with any partnership, it’s important to find someone you can communicate and work well with.
Step 6: Begin the Formal Audit Process
Your auditor will spend anywhere from a few weeks to a few months working with your team before producing a SOC 2 report.
Before the actual audit begins, your auditor will likely contact you to set up a time that works for both of you. They may also talk you through the audit process so that you know what to expect, and they may ask for some initial information to help things go smoothly.
Once the auditor arrives in your office, here’s the general process:
1. The Security Questionnaire
Many auditing firms start by asking your team questions about company policies, processes, IT infrastructure, and controls.
Getting your team into good security habits as early as possible before the audit helps out here. They’ll be able to answer questions with confidence.
2. Gathering Evidence of Controls
Next, auditors will ask your team to provide evidence and documentation about your controls. Auditors typically review an average of 85 unique controls.
You need proof of all of your security policies and internal controls to show that things are up to par. Auditors use this as part of their evaluation to understand how controls are supposed to work.
During the evaluation, auditors consult with the owners of each process. They walk through the business processes and security practices together to understand them better.
4. Follow Up
SOC 2 audits are intensive. Auditors often find areas where they need more evidence, despite all your prep work. A typical audit has an average of 100 evidence requests, which will all need documentation.
They may ask your team for clarification on processes or controls, or they may want additional documentation. If the auditor notices compliance gaps that can be fixed quickly, they might ask you to remedy those before proceeding.
5. Completed SOC 2 Report
At the end of the audit, you’ll receive a written SOC 2 report outlining the results. If you get an unqualified opinion, congratulations! If not, use your SOC 2 report as an instruction manual for closing the gaps and try again.
You’ll also get an opportunity to add a management’s response to any exceptions or issues that popped up. For example, you can explain an exception or offer an update on how you resolved it.
How Often are SOC 2 Audits Done?
The golden rule is to schedule a SOC audit every 12 months.
Completing an audit every 12 months gives you enough runway to add cybersecurity controls, do employee performance reviews, etc.
A 12-month Type II also reduces the risk of receiving “did not operate” marks in your report.
For example, say your Type II review period is from July 1 - December 31. Even if you had a penetration test done in June, it’s outside your audit window. You’ll see a “did not operate” for that control since the auditor can't attest to the control activity during your review period.
All in all, a 12-month assessment typically leads to a cleaner report. And that leads to increased trust with potential and existing customers.