What Is A SOC 2 Audit?
In order to achieve SOC 2 certification companies and organizations must go through an annual SOC 2 audit and be evaluated on one or more principles of the AICPA Trust Services Criteria (TSC) – Security, Availability, Processing Integrity, Confidentiality, and Privacy.
When going through a SOC 2 audit, organizations may go through security evaluation for security controls and then receive one of two types of reports:
For SOC 2 type 1, an organization is evaluated on “management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.” For this report security controls are evaluated at a specific point-in-time.
For SOC 2 type 2, security evaluation and auditing standards are more expansive then SOC 2 type 1. A SOC 2 auditor assesses the description and design of controls, but also evaluates the operation effectiveness of organization security controls. This means that an organization’s controls and security program are evaluated over a period of several weeks.
What Can I Expect During A SOC 2 Audit?
Organizations that connect with a SOC 2 assessor will be expected to provide documentation around their security program and work with the assessor to provide proof of security program controls. It is important that teams take the time to plan and prepare for SOC 2 assessment or risk potential delays due to lack of standards or documentation.
Organizations may deal with the following steps when going through a SOC 2 audit:
- Security Questionnaire – An auditor will most likely provide your team with a security questionnaire that asks numerous questions around your team’s security program, policies, infrastructure, and implemented technical controls.
- Evidence Collection – Teams will be asked to provide evidence of effective controls within your organization. Your team will need to be able to provide current policies and proof that technology standards that are currently in-place.
- Evaluation and Follow-up – An auditor may ask for additional evidence or answers to clarify questions around current security controls. Teams with SOC 2 compliance gaps may be asked to update their security program and resolve control gaps before the certification process can continue
- Report Creation (Certification) – After an auditor has successful evaluated the effectiveness of your organization’s controls, they will write up and provide a SOC 2 type 1 or SOC 2 type 2 report for your organization.
Best Practices for Preparing for A SOC 2 Audit
Organizations preparing for SOC 2 audit and assessment should have an established security program with administrative and technical safeguards in place in order simplify the SOC 2 audit process. Teams that are well-prepared, will generally deal with less scrutiny and achieve SOC 2 certification much quicker.
Teams should consider the following best practices when preparing for a SOC 2 audit:
1. Create Up-to-date Administrative Policies
Administrative policies and standard operating procedures (SOPs) are a cornerstone to any security program. Teams should implement administrative policies that match their staff structure, technologies, and everyday workflow. It is important that these policies are written in plain-English and understood by your staff, rather than written as legal documents.
Security policies should dictate how security controls are implemented across your applications and infrastructure and define overall steps for managing security in the workplace. Policies should outline standard security processes for topics including:
System Access – Defining how user access to sensitive data is granted, revoked and limited
Disaster Recovery (DR) – Defining how backup and disaster recovery standards are implemented, tested, and managed
Incident Response – Defining how security incidents are reported, investigated, and resolved
Risk Assessment and Analysis – Defining how the organization assesses, manages and resolves security issues
Security Roles – Defining how security and staff roles and responsibilities are assigned within the organization
Security Training – Defining how security awareness training is conducted across your organization
Once your team has adopted administrative policies, you should make sure to review policies on a periodic basis, and continually update policies as procedures change. Teams can share security policies with SOC 2 auditor as evidence of your security program. Additionally, having up-to-date policies will enable your team to reference security standards and more quickly answer security questions and assessments during a SOC 2 audit.
2. Set Technical Security Controls
Once your team has developed a set of administrative security policies, you must work to ensure that technical security controls are in-place across your applications and infrastructure. This means that your team should be implementing cloud security controls to match your policies.
Teams should look at developing security controls and implementing solutions around:
- Access Control
- Firewall and Networking
- Audit Logging
- Intrusion Detection Systems (IDS)
- Vulnerability Scanning
Teams should implement security best practices and ensure that security controls are implemented to meet the latest SOC 2 Trust Standards Criteria (TSC) – Download the TSC Matrix.
3. Gather Documentation and Evidence
Before scheduling a SOC 2 audit, your team should prepare by gathering all relevant documentation, evidence, and materials in order to streamline the audit process. Teams should consider gathering the following documents:
- Cloud/Infrastructure Certifications and Agreements – Collect all cloud and infrastructure related agreements, certifications and attestations including documents such as:
- SOC 2 Report
- Business Associates’ Agreement (BAA)
- Service Level Agreements (SLAs)
- Administrative Security Policies – Collect and provide all administrative policies related to your security program.
- Technical Security Control Documentation – Collect any evidence and documentation around implementation and management of infrastructure security controls.
- 3rd Party and Vendor Contracts – Collect all documentation associated with third party companies, contractors, and service providers.
- Risk Assessment and Audit Documentation – Collect and provide any existing documentation from previous security assessments, or third-party audits.
4. Schedule an Audit with A Reputable Auditing Firm
Once your team has developed your security program and has prepared for a SOC 2 assessment, it is time to engage with a reputable auditing firm. Teams will want to look for an organization that has worked with similar size companies, has experience performing SOC 2 audits and has the security expertise to provide an efficient SOC 2 audit process.
You may consider working with Dash and our auditing partners in order to prepare for and schedule a SOC 2 audit.
Preparing for A SOC 2 Audit
While a SOC 2 audit may appear to be daunting, your team may make the audit process easier by properly preparing. Having an established security program will make it easier for your team to provide evidence, respond to questions from auditors, and move through the certification process.
Learn how Dash ComplyOps can help your team prepare and achieve SOC 2 certification in the cloud.
- Utilize Dash to create custom administrative policies built around your organization and IT infrastructure.
- Enforce policy standards and SOC 2 security controls through Dash continuous compliance monitoring.
- Gather SOC 2 security evidence and create SOC 2 reports to simplify auditing and security evaluation
- Work with audit partner to complete a SOC 2 audit and achieve SOC 2 certification.