The SOC 2 audit has become one of the most common security frameworks in the U.S. And if you’re looking for resources on where to start or how to select an auditor, you’re in luck.
Ostendio featured 360 Advanced Practice Director, John Kadechka in the SOC 2 Audit Master Class, How to Get in Shape for Your SOC 2 where he shared his top SOC 2 tips that will guide you through your SOC 2 journey.
We’ve excerpted some of John’s key points from the webinar, and included them below.
How to Get In Shape for Your SOC 2: 4 Essential Tips
1. Start by talking with an auditor to determine if SOC 2 is right for you.
Scoping and the discovery call with an auditor is a critical part of the process. Number one, the client needs to ensure that they need a SOC 2.
There have been a few of these discovery calls [that I have joined] and after we’ve talked through the services they’re performing, we determined that a SOC 2 probably wasn’t what they actually needed. [In many cases, these clients received] due diligence questionnaires or checklists or a new client contract that said you need to have a SOC 2, but their client didn’t properly understand whether or not a SOC 2 would be a fit purpose and in some cases it’s not.
That’s always the first step: making sure that a SOC 2 report is actually what you need and what your customers are asking for.
2. Ask the right questions to identify if your SOC 2 will be the real deal.
Is [the audit] complete, is [the audit] accurate? How much reliance are we putting on it? How critical or how high of a risk is the control that’s using that data and going through all these factors? And that should really then assess how robust the auditor’s really going to dig into the completeness and the accuracy of that data as well, based upon the criticality of that control and of that key report. I think that’s one of the areas that maybe some of the check the box firms really aren’t digging into–the completeness and the accuracy of the data that’s either used by us as the auditor, or as a population.
3. Create clear boundaries around your SOC 2.
After we’ve determined that [the organization] needs a SOC 2, it’s clear for management to understand what specific services they’re providing.
One of the things that we try to do in these early discovery and scoping calls is try to put a fence around what the system boundaries that the SOC 2 defines–talking through the infrastructure, the data, the applications, the people, all the components really so that we can put a fence around it.
A client may start talking about specific areas that right away I can say that likely would not be relevant to your users–and we probably don’t need to bring that into the scope of the SOC 2. Putting a fence around the boundaries and what’s going be brought in is critical to performing a SOC 2 report.
4. Lastly, set realistic expectations, and understand your audit will change year-over-year.
Management always needs to make sure that they understand what the time commitments are. With a first year report, there’s always going to be a bit more that’s needed. The walk-throughs are going to be a bit more detailed because it’s us gaining our understanding of your environment and you also getting a feel for us as well, too.
If we’re going from year one and year two then into year three, we always have to add unpredictability to our audit procedures. The way that we audited one thing this year is going to have to change because the AICPA requires that we try to add unpredictability year over year so that our clients aren’t expecting the questions that we’re going ask or expecting the type of evidence that we’re going to ask for.
Interested in more SOC 2 tips from auditors? Download Ostendio’s Best of 2022 Master Class eBook: The Ultimate Guide to Empowering a People-First SOC 2 Strategy.