What Exactly Is a SOC 2 Audit?

An annual SOC 2 audit is necessary for any company or organization that wishes to obtain SOC 2 certification.  In order to become SOC 2 certified, your company will be evaluated on one or more of the following principles of the AICPA Trust Service Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Often, during an audit, an organization goes through a security evaluation to analyze their security controls. Afterward, they will receive one of the following two types of reports:

Relating to SOC 2 Type 1: A type 1 evaluation is based on an organization’s description of its security system — the suitability of its design and operational effectiveness of its controls. In short, the security controls are evaluated at a specific point in time.

Relating to SOC 2 Type 2: The security evaluation and auditing standards for type 2 are more rigorous compared to type 1. During a SOC 2 type 2 audit, not only does an auditor assess the description and the controls of an organization’s security system, but they will also assess the operational effectiveness of the security controls as well. Since there is much more involved in evaluating this process, this type of audit takes place over the course of several months.

SOC 2 Audit — What To Expect

An organization preparing for a SOC 2 audit should have their security documentation close at hand, ready to provide to their SOC 2 assessor. It is of the utmost importance that your team has established security policies and has prepared for your SOC 2 assessment in order to minimize any potential delays.

Be ready for the following when preparing for a SOC 2 audit…

1. Security questionnaire: It is common practice for an auditor to supply your team with a security questionnaire regarding your security program, policies, infrastructure, and implemented technical controls.

2. Evidence collection: Be prepared to provide evidence of effective controls within your organization, including current policies and proof that they are in place.

3. Evaluation and follow-up: It is best to over-prepare. Often an auditor will ask for additional evidence to satisfy their reports. If your company has any SOC 2 compliance gaps, there is a good chance you will be asked to update your security program before the auditing process can continue. 

4. Certification: If your security controls pass the test (audit), then your auditor will write and provide your company with a SOC type 1 or type 2 report.

Preparing For A SOC 2 Audit — Best Practices

When preparing for an audit, to ensure a smooth-flowing process, make sure to be certain that your security program is up-to-date — complete with their administrative and technical safeguards — in place.

Remember: a team that is prepared will deal with less scrutiny and achieve certification quickly.

When preparing for an audit, consider the following:

Be sure that your administrative policies are up to date

These policies are an essential component of any security program. Your policies should reflect your employee structure, technology, and everyday workflow. These are not legal documents — be sure they are simplified, and written in plain English so they can be easily read and understood by all staff members.

Your security policies should outline how your security controls are implemented across your applications and infrastructure.  Make sure to highlight and define all of the necessary steps for managing security.

Be sure to outline the standard security processes for the following topics:

System Access — Explain and define how user access to sensitive data is both granted and revoked.

Disaster Recovery — Explain and define how both backup and disaster recovery (DR) standards are implemented, tested, and managed.

Incident Response — Explain and define how security incidents are reported, investigated, and resolved.

Risk Assessment and Analysis — Explain and define how your organization assesses, manages, and resolves security issues.

Security Roles — Explain and define how security, staff roles, and responsibilities are delegated within your organization.

Security Training — Explain and define how security awareness training is implemented throughout your organization.

Once your administrative policies are up to date, be sure to review, assess, and continually update them as your procedures gradually change. These policies can be provided as evidence to present to auditors as proof that your policies are up-to-date. 

Set Technical Security Controls

After your administrative policies are in place, you must ensure that all technical security controls are in place across all infrastructure and applications. In order to do this, your team needs to implement cloud security controls that match your policies. 

— Consider developing security controls regarding the following:

•  Access Control

•  Firewall and Networking

•  Encryption

•  Backup

•  Audit Logging

•  Intrusion (News - Alert) Detection Systems (IDS)

•  Vulnerability Scanning

Make sure that your security controls are implemented to meet the latest SOC 2 Trust Standards Criteria — Download the TSC Matrix now!

Gather Documents and Evidence

Be sure to gather all documentation, evidence, and materials into one place before scheduling a SOC 2 audit. The more organized you are, the quicker the auditing process will be.

— Be sure that your team takes the following documents into account:

Cloud/Infrastructure Certifications and Agreements: organize and gather all documents relating to cloud and infrastructure agreements, certifications, and attestations, including documents like:

•  SOC 2 Report

•  Business Associates’ Agreement (BAA)

•  Service Level Agreements (SLAs)

Administrative Security Policies: Gather and provide all administrative policies involving your security program.

Technical Security Control Documentation: Gather and provide all evidence and documentation surrounding implementation and infrastructure security control management.

Third-Party and Vendor Contracts: Gather and provide all documentation involving third-party companies, contracts, and service providers.

Risk Assessment and Audit Documentation: Gather and provide any documentation from previous security assessments (if any), including any third-party audits.

Be Sure to Schedule Your Audit With A Firm You Can Trust

Once everything has been accounted for, it’s time to move on to the next stage: engaging a reputable auditing firm. Look for an auditing firm that has worked with companies similar to yours in the past. Consider the size of the companies they have worked with and their level of expertise when it comes to SOC 2 audits: do they have the security expertise to perform SOC 2 audits correctly? 

Preparing For Your SOC 2 Audit

An audit doesn’t have to be as daunting as it seems. As long as you take the time to properly prepare and get all of your ducks in a row, the process can be surprisingly simple. An established security program will make things much easier for your security team when the time comes for an audit. 

Click here, to learn how Dash ComplyOps can help your team achieve SOC 2 certification in the cloud. Here’s how Dash can help your organization:

•  Create and customize administrative policies, tailored to your company and IT infrastructure

•  Enforce policy standards and SOC 2 security controls via continuous compliance monitoring

•  Locate and gather all SOC 2 security evidence and create SOC 2 readiness reports that simplify the auditing process

•  Easily complete your SOC 2 auditing process and achieve certification with one of our reputable auditing partners.

Streamline SOC 2 compliance, contact Dash — our auditing partners are standing by to help you schedule an audit and make sure you’re fully prepared.