It’s safe to say that not many service providers look forward to SOC 2 compliance. I'd guess not many of you have the AICPA on speed dial.
Whether you're preparing for a Type 1 or Type 2, audits may be perceived as events that you prepare for and complete, but then eventually they go away - at least for a while.
To stay SOC 2 compliant we suggest a paradigm shift. Treat compliance as a continuous process rather than a point-in-time event. Unlike taxes, there is no 'audit-season.' Here are some tips for always being prepared for your next audit.
Embrace the idea that policies and procedures evolve
After spending considerable time getting your policies and procedures just right to address the trust services principles, it’s tempting to step back and say, “Good, we finally have all this great documentation, now let's not touch it again until we absolutely have to!” However, updating your policies and internal controls is a good thing - provided you have adequate documentation around who made the changes, as well as evidence that the new policy was communicated to the appropriate parties. This applies to both internal teams and from a vendor management perspective too. Some changes will be straightforward, such as adding or removing an approved vendor. Others, such as adopting source control, will be more involved. However, having a method of source control gives you greater visibility into who made changes and when, which provides you with a built-in audit trail.
Declare your repetitive procedures using an automated scheduler
To stay SOC 2 compliant there are a large number of tasks that occur infrequently, but still require your attention on a regular basis. For example, your data classification, information security, system and organization controls, change management, risk management, customer data, and even financial information will need to be reviewed once a year. If you skip it, you’ll regret it, especially for Type ii. Access reviews should happen much more frequently, but still can be forgotten without a forcing function. Don’t try to keep all the tasks and schedules in your head. Instead, use a calendaring or task app to set these reminders for you on a daily, weekly, monthly, quarterly or yearly basis.
Find your allies in HR and IT
You depend on your internal colleagues as much as your CPA firm to complete soc reports and deliver a smooth audit. Look for the person or people on those teams who are detail-oriented and appreciate the structure that policies and procedures provide. Train them on the audit process and how critical a ticketing system can be to tracking all the relevant SOC 2 compliant activities, and emphasize that without such a system, many important tasks will slip through the cracks. One example of a task requiring a ticket is the onboarding or offboarding of employees. This task usually involves several people and departments within your organization, and typically requires detailed checklists for the various steps such as account creation, laptop, and mobile device setup and physical keycard assignment. Simply sending emails or using an ad hoc tool like Google Sheets to will not be sufficient when you’re under pressure to deliver evidence to an auditor.
Delegation is your friend
There are many evidence collection tasks required throughout the year, but don’t feel like you have to do everything yourself. You could lose both your hair and your mind - and still not get everything done. Remember that this is a team effort, so rely on your ticketing system to monitor tasks and delegate as necessary. This will help your team maintain familiarity with the system and processes, and keep you from having to retrain everyone from scratch right before next year’s Type ii report. You wouldn't want to be caught off guard by new compliance requirements.
Send out quarterly status updates that confirm your systems are working
It’s a good idea to regularly communicate the effectiveness of your SOC 2 compliant program for both a Type 1 report and Type 2 report. This not only keeps your staff in an “always auditing” state of mind but demonstrates to your management team that their investment to ensure processing integrity is paying off. There are several statistics you can include in these updates. For example, you can share how many compliance tickets were opened and closed during the last quarter. You can also summarize how many policies have been created or updated. These updates also demonstrate that your team is always thinking about the next audit so that if any gaps to develop in the meantime, you can address them quickly before they bubble up and become insurmountable. That way your service organization's controls are always up-to-date.Yes, audits can be a thorn in your side that you’d probably rather ignore, but keep your organization thinking about them throughout the year. Make good use of your ticketing system, and continually tune your policies and procedures. These efforts will be well worth it when your next audit rolls around.