Are you looking to start your SOC 2 Audit for this year? Here is a video that will guide you through your first SOC 2 audit using 11 steps.
Your customers have probably asked for your SOC 2 report, or it may be required to seal the deal on a new customer or contract. If you spend a lot of time answering security related questionnaires, not having a SOC 2 audit report is costing you money. Chances are if you don’t have a SOC 2 report you are going to be leaving some money on the table at one time or another.
SOC 2, or "Systems and Organization Controls" (formerly "Service Organization Controls"), reports on information systems and organizational governance controls related to security and one of more of the following categories, availability, processing integrity, confidentiality, or privacy. Compliance with SOC 2 is NOT a pass/fail exam. It simply means that you have gone through an audit and published a report on compliance with the Trust Services Criteria, which is the American Institute of Certified Public Accountants (AICPA) SOC 2 requirements standard. The SOC 2 audit is conducted by an AICPA certified audit firm and it comes in two types: Type 1, a point in time, and Type 2, which is assessed over a period of time. You start with a SOC 2 Type 1 audit and then progress to SOC 2 Type 2.
The audit is the easy part. The challenge is understanding and articulating your security controls and governance program in a way that maintains security and continuously improves its rigor year over year, but most importantly, convincing the auditor you do that.
It is highly advisable that you engage with a company like Truvantis as a trusted advisor to get you ready for your audit. In fact, most of the AICPA auditors worth their salt will recommend that you partner with a third-party security advisory firm. You’re busy with the business of running your business, so you just don’t have the time. More importantly the auditor cannot help you prepare otherwise they would be grading their own homework, which is not allowed.
There are 11 steps to get through your first SOC 2 audit:
- Select a trusted security advisor like Truvantis who can work with you to achieve SOC 2 audit readiness and get you a favorable report
- Choose an AICPA auditor. We have associates who we work with and are guaranteed to be high quality, cost-effective solution partners
- Define your SOC 2 scope and select reporting categories
- Perform a Gap Analysis – The Truvantis advisor will determine and understand the delta from your current state to where you need to be on audit day.
- Build (or rebuild) your security program governance documents, including procedures
- Conduct an Information Security Risk Assessment
- Define and implement controls for any control gaps
- Write a narrative description of all the controls relative to your security program
- Train staff and prepare for the audit by holding mock audit
- Manage the auditor on audit day. Monitor their process and challenge the controls they ask about
- Dispute unfavorable report language. Don’t just accept what they give you the first time. Discuss the language with them for them to cast you in the best light possible.
The output and work products of the SOC 2 audit from the AICPA auditor are two things, a SOC 2 Type 1 report expressing the auditor’s opinion on the architecture and implementation of the required controls, and a letter to management that details any remaining deficiencies you have. The goals in the project engagement for you and Truvantis are to end up with a favorable SOC 2 report and a minimal letter to management.
It takes LOTS of work to build a security governance program, and that’s time that you don’t have. Don’t you want to do it once and do it right the first time?
Truvantis speaks the language of the auditor and knows how to get the very best results and a favorable SOC 2 audit report.
SOC 2 can accelerate growth by removing security as a blocker in the sales cycle so you can get back to talking about value. It can take a long time if you do it internally, but an advisor can accelerate the process to get your sales team back to selling and your R&D team back to doing what you hired them for - developing an awesome solution.
To save you some time and do it right on your first time, speak to Truvantis senior professionals who have been through hundreds of SOC 2 engagements. If you’re interested in learning more about SOC 2 check out the rest of our SOC 2 related blogs below.