There are four major steps you should follow to prepare for a SOC 2 audit. (You can even start the first one today.)
- Find a reputable CPA firm. “Wait a minute. I thought SOC 2 focused on information security. Why are you telling me to find a CPA firm?” Great question. The AICPA (American Institute of Certified Public Accountants) developed the SOC 2 framework, so your auditor will have to be a CPA firm to issue a SOC 2 report. Technically, any CPA firm can issue one. But, not any CPA firm can do it the right way.Because SOC 2 focuses specifically on security, you want a firm that understands security and the ins and outs of the AICPA guidance. So, in this case, a “reputable” CPA firm should meet as many of these qualifications as possible:
- You have a trusted relationship with them.
- They have a large information security practice.
- They demonstrate information security thought leadership by regularly creating content around relevant information security topics.
- They have the AICPA’s Cybersecurity Advisory Services Certificate.
- They have extensive experience with SOC 2 reporting.
- Work with the firm to develop a deeper understanding of SOC 2. Talk to your chosen firm about which criteria should be in your report. There are five. Below, I’ll provide the official text, as well as a “translation” in plain English.
“Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.”
Are information and systems appropriately secured?
This requirement is included in every SOC 2 assessment and is not optional.
“Information and systems are available for operation and use to meet the entity’s objectives.”
Are information and systems appropriately available for use?
i.e. Are they reliable?
“System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.”
Is information processed appropriately by your systems?
“Information designated as confidential is protected to meet the entity’s objectives.”
Is confidential information adequately protected?
“Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.”
Is personal information adequately protected?
It is common to confuse the privacy and confidentiality criteria. The difference between the two is that privacy controls protect personal information (name, social security number, address, etc.) and confidentiality protects non-personal information and data that is still classified as “confidential.”
The most important thing to know is this: The criteria you’re assessed against should make sense according to the services you provide. At the end of the day, the CPA firm must provide an opinion on the effectiveness of the controls suited to the operational environment. So, they should verify that the criteria they’re assessing you against makes sense according to the services you provide.
- Perform a full readiness assessment with the firm you select. During this process, the firm will educate you on the requirements of all the framework’s criteria and help you understand any control gaps your organization has related to those criteria and points of focus. A point of focus (POF) is a supporting control that offers considerations and guidance. POFs are not requirements but rather serve as clarifications to criteria and assisting an organization as they create controls.
In short: A firm will work with you to help you understand the controls you’ll need to implement to receive a favorable report.
It’s important to know that your organization must create the controls. While the CPA firm can provide guidance around the types of controls you’ll need, they can’t create any controls for you. The end result of the readiness assessment is essentially a report that says something to the effect of: “Here are the controls that would be in your SOC 2 report. Here is how they map back to each criterion relevant to your business. And, here is where you have gaps that need remediation.”
Note: If this is your first SOC 2 assessment, you will almost definitely have a fair amount of control gaps and areas to remediate.
- Engage the CPA firm for a complete SOC 2 audit. Remember how there are multiple types of SOC audits? Well, to further complicate things, there are also multiple types of SOC 2 audits. Here they are: SOC 2, Type I: This type of SOC 2 reports on the design effectiveness of controls at a specific point in time.
SOC 2, Type II: This type of SOC 2 reports on both the design and operating effectiveness of a controlled environment over a period of time (minimum of 6 months and usually up to 9 months to a full year). A Type I audit is generally used as a stepping-stone to a Type II audit. So, what does the audit process actually look like? It varies by firm, but there are a few things you can count on.
- There’s going to be an on-site visit. Someone from the CPA firm (the assessor) will visit your facility to review evidence for the controls you’ve implemented to meet the requirements of the trust services criteria applicable to your organization. This generally occurs toward the end of the assessment period. So, if your assessment period ends in December, the on-site visit will likely occur during November and/or December. The assessing firm will perform testing that covers the entirety of the reporting period to ensure your controls have been operating effectively the whole time. So, while they may only be on-site toward the end of the audit period, their testing will cover the entire audit period (if you’re receiving a SOC 2, Type II report). During this on-site visit, their goal is to test the controls you have defined and make sure they effectively address the requirements and criteria of the SOC 2 framework.
- Management will need to present an accurate description of controls. Remember—the CPA firm is not responsible for helping you implement controls—only assessing them. Therefore, in the report, your company’s management is responsible for presenting an accurate description of the control environment.
- The CPA firm will issue a report after your report period’s end date. This is important. Regardless of when your assessment is completed, you won’t receive your report until after the assessment period’s end date (generally 45 – 60 days). In this report, the CPA firm issues its opinion on the design (SOC 2, Type I) or design and operating effectiveness (SOC 2, Type II) of your organization’s control environment.