What Is A SOC 2 Audit?

In order to achieve SOC 2 certification companies and organizations must go through an annual SOC 2 audit and be evaluated on one or more principles of the AICPA Trust Services Criteria (TSC) – Security, Availability, Processing Integrity, Confidentiality, and Privacy.

When going through a SOC 2 audit, organizations may go through security evaluation for security controls and then receive one of two types of reports:

For SOC 2 type 1, an organization is evaluated on “management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.” For this report security controls are evaluated at a specific point-in-time.

For SOC 2 type 2, security evaluation and auditing standards are more expansive then SOC 2 type 1. A SOC 2 auditor assesses the description and design of controls, but also evaluates the operation effectiveness of organization security controls. This means that an organization’s controls and security program are evaluated over a period of several weeks.

What Can I Expect During A SOC 2 Audit?

Organizations that connect with a SOC 2 assessor will be expected to provide documentation around their security program and work with the assessor to provide proof of security program controls. It is important that teams take the time to plan and prepare for SOC 2 assessment or risk potential delays due to lack of standards or documentation.

Organizations may deal with the following steps when going through a SOC 2 audit:

• Security Questionnaire – An auditor will most likely provide your team with a security questionnaire that asks numerous questions around your team’s security program, policies, infrastructure, and implemented technical controls.
• Evidence Collection – Teams will be asked to provide evidence of effective controls within your organization. Your team will need to be able to provide current policies and proof that technology standards that are currently in-place.
• Evaluation and Follow-up – An auditor may ask for additional evidence or answers to clarify questions around current security controls. Teams with SOC 2 compliance gaps may be asked to update their security program and resolve control gaps before the certification process can continue
• Report Creation (Certification) – After an auditor has successful evaluated the effectiveness of your organization’s controls, they will write up and provide a SOC 2 report (SOC 2 Type 1 or SOC 2 Type 2) for your organization.

Best Practices for Preparing for A SOC 2 Audit

Organizations preparing for SOC 2 audit and assessment should have an established security program with administrative and technical safeguards in place in order simplify the SOC 2 audit process. Teams that are well-prepared, will generally deal with less scrutiny and achieve SOC 2 certification much quicker.

Teams should consider the following best practices when preparing for a SOC 2 audit:

1. Create Up-to-date Administrative Policies

Administrative policies and standard operating procedures (SOPs) are a cornerstone to any security program. Teams should implement administrative policies that match their staff structure, technologies, and everyday workflow. It is important that these policies are written in plain-English and understood by your staff, rather than written as legal documents.

Security policies should dictate how security controls are implemented across your applications and infrastructure and define overall steps for managing security in the workplace. Policies should outline standard security processes for topics including:

System Access – Defining how user access to sensitive data is granted, revoked and limited

Disaster Recovery (DR) – Defining how backup and disaster recovery standards are implemented, tested, and managed

Incident Response – Defining how security incidents are reported, investigated, and resolved

Risk Assessment and Analysis – Defining how the organization assesses, manages and resolves security issues

Security Roles – Defining how security and staff roles and responsibilities are assigned within the organization

Security Training – Defining how security awareness training is conducted across your organization

Once your team has adopted administrative policies, you should make sure to review policies on a periodic basis, and continually update policies as procedures change. Teams can share security policies with SOC 2 auditor as evidence of your security program. Additionally, having up-to-date policies will enable your team to reference security standards and more quickly answer security questions and assessments during a SOC 2 audit.

2. Set Technical Security Controls

Once your team has developed a set of administrative security policies, you must work to ensure that technical security controls are in-place across your applications and infrastructure. This means that your team should be implementing cloud security controls to match your policies.

Teams should look at developing security controls and implementing solutions around:

• Access Control
• Firewall and Networking
• Encryption
• Backup
• Audit Logging
• Intrusion Detection Systems (IDS)
• Vulnerability Scanning

Teams should implement security best practices and ensure that security controls are implemented to meet the latest SOC 2 Trust Standards Criteria (TSC) – Download the TSC Matrix.

3. Gather Documentation and Evidence

Before scheduling a SOC 2 audit, your team should prepare by gathering all relevant documentation, evidence, and materials in order to streamline the audit process. Teams should consider gathering the following documents:

• Cloud/Infrastructure Certifications and Agreements – Collect all cloud and infrastructure related agreements, certifications and attestations including documents such as:
  • SOC 2 Report
  • Business Associates’ Agreement (BAA)
  • Service Level Agreements (SLAs)
• Administrative Security Policies – Collect and provide all administrative policies related to your security program.
• Technical Security Control Documentation – Collect any evidence and documentation around implementation and management of infrastructure security controls.
• 3^rd Party and Vendor Contracts – Collect all documentation associated with third party companies, contractors, and service providers.
• Risk Assessment and Audit Documentation – Collect and provide any existing documentation from previous security assessments, or third-party audits.

4. Schedule an Audit with A Reputable Auditing Firm

Once your team has developed your security program and has prepared for a SOC 2 assessment, it is time to engage with a reputable auditing firm. Teams will want to look for an organization that has worked with similar size companies, has experience performing SOC 2 audits and has the security expertise to provide an efficient SOC 2 audit process.

You may consider looking at a solution such as Dash ComplyOps in order to prepare for and schedule a SOC 2 audit.

Preparing for A SOC 2 Audit

While a SOC 2 audit may appear to be daunting, your team may make the audit process easier by properly preparing. Having an established security program will make it easier for your team to provide evidence, respond to questions from auditors, and move through the certification process.

Learn how Dash ComplyOps can help your team achieve SOC 2 certification in the cloud.

• Utilize Dash to create custom administrative policies built around your organization and IT infrastructure.
• Enforce policy standards and SOC 2 security controls through Dash continuous compliance monitoring.
• Gather SOC 2 security evidence and create SOC 2 reports to simplify auditing and security evaluation
• Work with audit partner to complete a SOC 2 audit and achieve SOC 2 certification.