11 Steps to Getting Through Your First SOC 2 Audit
Your customers have probably asked for your SOC 2 report, or it may be required to seal the deal on a new customer or contract. If you spend a lot of time answering security related questionnaires, it’s costing you money not having a SOC 2 audit report. Chances are if you don’t have SOC 2 report you are going to be leaving some money on the table at one time or another.SOC 2, or Service Organization Control 2, reports on information systems and organizational governance controls related to security and one of more of the following categories, availability, processing integrity, confidentiality, or privacy. Compliance with SOC 2 is NOT a pass/fail exam. It simply means that you have gone through an audit and published a report on compliance with the Trust Services Criteria the which is the American Institute of Certified Public Accountants (AICPA) SOC 2 requirements standard. The SOC 2 audit is conducted by an AICPA certified audit firm and it comes in two types: Type 1, a point in time, and Type 2, which is assessed over a period. You start with a SOC 2 Type 1 audit and then progress to SOC 2 Type 2.
The audit is the easy part. The challenge is understanding and articulating your security controls and governance program in a way which maintains security and continuously improves its rigor year over year, but most importantly, convincing the auditor you do that.
It is highly advisable that you engage with a company like Truvantis as a trusted advisor to get you ready for your audit. In fact, most of the AICPA auditors worth their salt will recommend that you partner with a third-party security advisory firm. This is because you do not have the time for this as you have your business of running your business. More importantly the auditor cannot help you prepare otherwise they would be grading their own homework, which is not allowed.
There are 11 steps to get through your first SOC 2 audit:
- Select a trusted security advisor like Truvantis who can work with you to achieve SOC 2 audit readiness and get you a favorable report
- Choose an AICPA auditor. We have associates who we work with and are guaranteed to be high quality, cost-effective solution partners
- Define your SOC 2 scope and select reporting categories
- Perform a Gap Analysis – The Truvantis advisor will determine and understand the delta from your current state to ware you need to be on audit day.
- Build (or rebuild) your security program governance documents, including procedures
- Conduct an Information Security Risk Assessment
- Define and implement controls for any control gaps
- Write a narrative description of all the controls relative to your security program
- Train staff and prepare for the audit by holding Mock audit
- Manage the auditor on audit day – Monitor their process and challenge the controls they ask about
- Dispute unfavorable report language – Don’t just accept what they give you the first time — Discuss the language with them for them to cast you in the best light possible.
The output and work products of the SOC 2 audit from the AICPA auditor are two things, a SOC 2 Type 1 report expressing the auditor’s opinion on the architecture and implementation of the required controls, and a letter to management that details any remaining deficiencies you have. The goals in the project engagement for you and Truvantis are to end up with a favorable SOC 2 report and a minimal letter to management.
It takes LOTS of work to build a security governance program, and that’s time that you don’t have. Don’t you want to do it once and do it right the first time? Truvantis has senior security professionals who have been through hundreds of SOC 2 engagements. It is one thing to read the audit security compliance standard. It’s another thing to understand the quickest path to getting you there. Truvantis speaks the language of the auditor and knows how to get the very best results and a favorable SOC 2 audit report.
SOC 2 can accelerate growth by removing security as a blocker in the sales cycle so you can get back to talking about value. It can take a long time if you do it internally, but an advisor can accelerate the process to get your sales team back to selling and your R&D team back to doing what you hired them for - developing an awesome solution.