What Are SOC Reports?
System and Organization Control (SOC) reports detail an organization’s internal controls based on SOC audit framework requirements and applicable Trust Service Criteria (TSC).
To receive a SOC 2 report, an organization must go through a SOC 2 audit and be evaluated on one or more service criteria. Once a SOC 2 audit has been completed, the auditor will write up and provide a SOC 2 report outlining how the organization has implemented security controls. Teams can then use this SOC 2 report or “certification” as a security attestation.
An SOC 2 audit can only be conducted by an AICPA certified third-party organization. This means that organizations must engage with an independent SOC 2 auditor or SOC 2 assessor to conduct an audit and receive a SOC 2 Type I or SOC 2 Type II report. SOC 2 reports should generally be obtained annually to ensure continuous coverage of reports.
How Do You Select A SOC 2 Auditor?
When selecting an SOC 2 auditor or SOC 2 assessor, organizations should consider the following:
AICPA affiliated – SOC 2 audits can only be completed by AICPA-affiliated firms. SOC audits can only be performed by an independent Certified Public Accountant (CPA) or affiliated firm. This means that the audit firm must be AICPA affiliated, to conduct SOC 2 audits and release official SOC 2 reports. Additionally, the firm must comply with all updates provided by the AICPA for each type of SOC 2 audit.
Experience – Organization’s should look at an audit firm’s previous experience before engaging in a SOC audit. Teams should determine whether the firm has performed similar SOC audits and assessments. Additionally, teams may look at whether a firm has worked with similar size companies and organizations in the same industry. Teams may have an easier time working with an auditor who has evaluated similar companies.
Time Period of Assessment – Since SOC 2 type II reports require that organization’s internal controls are evaluated over a period of time, organizations that plan to go through a type 2 audit should determine the audit firm’s general timeframe and period of assessment for evaluating security controls.
Process and Scope – Organizations should assess how an audit firm manages the SOC 2 audit process. Audit firms should conduct audits based on the latest AICPA guidelines including the updated 2017 Trust Service Criteria (TSC) for evaluating and performing audits. SOC 2 assessors should also have a defined process and scope for how audits or conducted.
What Is the Process for Going Through an Audit?
Organization’s that engage with a SOC 2 auditor will be expected to provide documentation and evidence of internal security controls as the relate to service criteria being evaluated. Organizations can expect to see the following when going through a SOC 2 audit:
Security Questionnaire – An auditor will most likely provide your team with a security questionnaire that asks numerous questions around your team’s security program, policies, infrastructure, and implemented technical controls.
Evidence Collection – Teams will be asked to provide evidence of effective controls within your organizations. Your team will need to be able to provide current policies and proof that technology standards that are currently in-place.
Evaluation and Follow-up – An auditor may ask for additional evidence or answers to clarify questions around current security controls. Teams with compliance gaps may be asked to update their security program and resolve control gaps before the certification process can continue
Report Creation (Certification) – After an auditor has successful evaluated the effectiveness of your organization’s controls, they will write up and provide a SOC 2 type 1 or SOC 2 type 2 report for your organization.
Determining the Scope of A SOC Audit
A SOC 2 audit evaluates organizations based on one or more trust service criteria and controls. When going through a SOC 2 audit, organizations must determine the scope of evaluated criteria.
Determine Criteria Priorities – Teams should evaluate which of the five trust service criteria (TSC) will be evaluated during the SOC audit. The scope, duration, and rigor of a SOC 2 audit changes depending on the number of criteria and controls to be audited, therefore teams should determine priorities for assessment internally and with reputable partners.
Set Timeline for Implementation and Assessment – Teams should determine how implementation of SOC 2 internal controls and audit procedures fit into the overall organization timeline. Organizations should determine the scope of security control implementation, evidence collection, and audit engagement.
Work with Partners to Execute on SOC Plan – After determining relevant service criteria for evaluation and setting a general timeline, teams should work with reputable partners who can help the organization execute on SOC 2 audit and report objectives. Third parties should work together with your team to ensure that a SOC 2 audit goes smoothly.
How Do I Prepare For An Audit?
It is important that organizations have a prepared security program and required internal controls before engaging with an audit firm for a SOC 2 audit. Conducting a SOC 2 audit when your team is unprepared can lead to a much longer assessment process, additional scrutiny, and higher overall costs. Therefore, teams should attempt to set proper controls and collect all relevant evidence to streamline the audit process.
Teams may consider the following steps when preparing for a SOC 2 audit:
Set Administrative Policies – Set organizational policies around key SOC 2 security criteria and internal controls such as disaster recovery, system access, audit logging and employee training. Dash custom administrative policies makes it easy for teams to build policies to meet SOC 2 trust service criteria.
Set Technical Security Controls – Implement technical security controls in your IT infrastructure including controls around encryption, access control, intrusion detection, network and firewall rules, and vulnerability scanning. Dash enables teams to enforce security controls and maintain SOC 2 internal controls through continuous compliance monitoring.
Learn how Dash can help your team build your SOC 2 security program. See how Dash enables organizations to prepare for SOC 2 audit and achieve SOC 2 Type II.