You scheduled your on-site SOC 2 testing. While the initial step is complete, there is still a lot of process and time before you’re past the finish line. This post will help plan and manage time expectations and establish a timeline of deliverables - working backward from your audit start date.
The Purpose of SOC 2 Audits
SOC is a system of service organization controls. SOC stands for “system and organization controls,” and controls are a series of standards designed to help measure how well a given service organization regulates its information, user entities, and sensitive data - particularly customer data. The purpose of SOC standards is to create a level of confidence and trust for organizations when they engage third-party vendors. A SOC-certified organization (hey, that will be you soon!) has been audited by an independent certified public accountant who worked with your organization on a readiness assessment and has determined the firm has the appropriate SOC guardrails, risk management, and attestation standards established by the American Institute of Certified Public Accountants (AICPA).
First, during the SOC audit project kick off, build a financial model to quantify the revenue at risk. Methodologies such as FAIR (Factor Analysis of Information Risk) can help you better understand, analyze and quantify information risk in financial terms. This exercise will also establish how critical your tasks are and build consensus within your company.
Gap analysis/readiness assessment
Next up is the gap analysis, which will take about 2-4 weeks from start to finish. You can work through the analysis internally with your SOC 2 team, but it also makes sense to get help from a third-party service auditor. The auditor will assess your environment in its current state and then compare it to the SOC 2 requirements - specifically the trust services principles: security, availability, processing integrity, confidentiality and privacy. Some of the SOC audit procedures will need to be performed on site - such as those involved in environmental or physical security functions - and others can be performed remotely. Coming out of the analysis, you will have identified areas with apparent deficiencies, and are ready to move forward with a punch list of items to tackle first. Some examples of items commonly on this list:
- Lack of core policies, such as an information security policy, to define how your organization is protecting internal data, as well as customer data.
- Employee background checks need to be conducted consistently.
- Lack of system password complexity policy (this one should be easy to remedy prior to your test period).
- Employment agreements that need to be adjusted or are missing altogether.
Key trust services principle missing from scope - for example, if your organization provides financial/e-commerce services you will likely want to add processing integrity as a criteria for your audit.
After your readiness assessment is complete, your first remediation period begins. It could be as short as 2 months or as long as 9 months. The timing depends on what is uncovered during your gap analysis, and how willing management is to dedicate resources to close those gaps. This remediation period is the bulk of the process and is where your teams will feel the impact of the changes required by SOC 2. You may end up bringing on new hires or changing your software development process during your remediation efforts. Afterward, there will likely be a second remediation period that comes after your audit, based on the findings of your auditors.
Receive information request list
In advance of the SOC audit, your audit firm will send a substantially complete manifest of everything you are expected to deliver. The manifest will also reveal everything that is currently missing. Expect that you will have many gaps, and give yourself enough time to address them. Some common gaps include:
- Your HR documentation might include a procedure for how to evaluate employee performance but probably does not include a meta-document that states when and how that document is distributed to managers.
- You might have adequate controls and checklists for employee onboarding, but the process for handling an employee’s job function change - or termination - is not fully documented and formalized.
- You are lacking a full inventory of assets, and/or the processes and procedures to keep that inventory accurate and up to date.
- Your core policies - such as the information security policy - are complete but you are missing other supporting documentation, such as standard operating procedures.
- Your customer data are missing key security controls.
There will also be things in the information request list that are not applicable to your business. You can push back on these with your auditor, but be ready to explain why they don’t apply. For example, you will be asked to create tickets for even the most mundane compliance-related tasks. If you do a backup/restore test and you’re the only team member to do it, it should have a ticket - even if it’s self-assigned to demonstrate retroactively that you completed the task.
You will need to create a large amount of documentation as part of SOC 2 compliance, so delegate this workload to as many people and teams as possible. Your role will be to assign tasks, track status and ultimately store responses. For example, HR will need to send you an example of a completed background check for a new hire, or an executed employment agreement. Gather all this evidence in a centralized repository as requested by the auditor.
Scheduling the SOC 2 is an essential step in achieving compliance. Understanding what the auditor will ask of you ahead of time, as well as the time and effort involved to gather the requested evidence, will better prepare for your auditor’s on-site visit.