What information do you need to know before your SOC 2 audit?
When it comes time for a SOC 2 report, there are several things you must know before selecting a firm. Failing to establish mutual expectations pre-contract can lead to miscommunications, process errors and, ultimately, inefficiencies within the audit.
That’s why it’s important to determine upfront if the firm’s approach will be a good fit with your organization. Below are 20 questions and sub questions to ask any prospective audit firm before you sign:
- Experience: What’s your firm’s experience with SOC reports? How many have you performed in the last year and can you provide references from our industry?
- Industry Expertise: Do you understand our industry’s nuances?
- Scope: Can you help define the scope of the report? What areas should/shouldn’t be covered and what controls will be tested?
- Team: Who will be leading the engagement? What are their qualifications, certifications and experience? Will he/she be the dedicated point of contact throughout the engagement?
- Resources: Will you be leveraging any subcontractors to conduct the engagement? If so, where are they located and do they maintain the same level of security controls?
- Timeline: What’s the estimated timeline for the report? How flexible can you be to accommodate our needs?
- Remote/On-site: Can you perform the entire engagement remotely? How’s that compare in terms of effectiveness and cost to coming on-site?
- Communication: What are your preferred communication protocols? How will findings be communicated?
- Issue Resolution: If an issue arises during the engagement, how will you help to resolve them?
- Cost: What factors determine the cost of the engagement? Are there any potential additional fees we should be aware of? What will the report cost in subsequent years?
- Conflicts of interest: Do you or anyone at your firm have any conflicts of interest that would impair your independence?
- Continuous Monitoring: Do you offer any ongoing monitoring services or partner with any tools/solutions to help us maintain compliance and operate controls effectively over time?
- Technology: How does your firm stay current with the emerging technologies that we have or might adopt to ensure you can competently test our controls?
- Data Protection: How does your firm ensure the Security, Availability, Confidentiality, Privacy, and Processing Integrity of our data? Can you provide a SOC 2 Type 2 report of the systems that process our data?
- Approach: Can you walk us through your methodology and approach?
- Questionnaires: Will this report ultimately diminish the number of security questionnaires that we receive?
- Results: How frequently do you issue reports with qualified or adverse opinions when you also performed a readiness assessment?
- Future: How long is the report good for? Will you help us write a bridge letter? What is the process for renewal?
- Contract: Are you able to incorporate any of the above into our contract?
- The Closer: What questions haven’t we asked that we should have?
A great SOC 2 audit firm should be partnership – an evolving collaboration to enhance the security and trustworthiness of your services. These upfront questions will help you forge a successful partnership and ensure a thorough and effective audit process.
Most of these questions are applicable to other Cybersecurity Risk and Compliances services, too, such as ISO 27001/2, PCI-DSS, NIST 800 Series, CMMC, HIPAA, HITRUST, Privacy frameworks, and everything in between.
How Can Schneider Downs Help?
If you have any questions about SOC compliance, assessments and readiness, please contact us at [email protected] or visit our dedicated SOC page.
About Schneider Downs IT Risk Advisory
Schneider Downs’ team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
To learn more, visit our dedicated IT Risk Advisory and Third-Party Risk Management pages.