SOC 2 Examinations - Keys to Success

“What do you need for a SOC 2 Audit?” Prior to starting a SOC 2 examination, clients often ask us what they can do to ensure an efficient audit process that leads to rendering a clean (unqualified) opinion. Even though we can never guarantee a clean opinion, there are definite “keys” to success that lead to a more favorable outcome when implemented by our clients. Below is a list of what we consider the most crucial factors or “keys” to success.

  • Executive Sponsorship – This is by far the most important factor. SOC 2 examinations take time and require input and interaction with personnel from multiple departments. In addition, there are often new policies and procedures that may need to be implemented in order to meet the SOC 2 requirements. Without executive sponsorship, personnel might not be granted the additional time, or personnel from different departments might not work well together—and new policies and procedures might not be implemented and followed.

 

  • Department Cooperation – As long as there is executive sponsorship, this one should not be too difficult to implement. Typically, SOC 2 examinations require personnel from multiple departments to perform controls and provide supporting evidence. Usually, IT, Security, DevOps, Human Resources, Operations, and the C-Suite are all involved during the SOC 2 examination.

 

  • Assign an Internal Employee/Consultant to Lead the SOC 2 Engagement Process – Since multiple departments and personnel will be involved, assigning an internal employee as the project manager, who has sufficient knowledge of the culture and department roles will ensure that communications between the auditor and your personnel are routed to the correct person and not lost. Not only will your employees appreciate this, but the auditor will appreciate not having to contact personnel throughout your company to obtain the information necessary to complete the engagement. The project manager can also ensure that any new controls are implemented or existing controls are properly updated to keep the project on track and completed in a timely manner.

Keep in mind that the lead person does not have to be a security expert and typically isn’t. It definitely helps, but many times, security experts do not have the time to dedicate to “managing” the process and making sure that documentation is provided in a timely manner. Security personnel are definitely an integral part of the process and will be required to gather documentation and respond to the auditor’s questions, but it might not be feasible for them to coordinate the entire SOC 2 examination.

 

  • Manage Your Clients’ Expectations – Many times, the requirement for the SOC 2 report originates from client requests. Understanding your clients’ specific needs and when they require a final report in their hands, will drive the timeline for the examination. Clients may request reports be provided on short notice or with little lead time. For organizations that have never undergone a SOC 2 examination before, it typically takes six to twelve months (depending on type 1 or type 2) before a final report is in their hands. Having conversations with your clients early on about deadlines for completing and providing a SOC 2 report will go a long way in ensuring that you are not scrambling at the 11th hour to complete a SOC 2 engagement.

 

  • Manage Internal Stakeholders’ Expectations – It is also important to have conversations early on with internal stakeholders to ensure that they understand the rigor that is required in order to complete a SOC 2 engagement. Just like many clients who request a SOC report, many internal stakeholders might have unrealistic expectations for when the SOC 2 report may be in their hands and available for customers. An organization’s sales, business development and client account management personnel will be eager to let customers and prospects know that a SOC 2 report is available for them to review. Communicating with these departments early on is essential so that they don’t overpromise and overcommit to customers and prospects.

 

  • Engage a CPA Firm or Consultant to Perform a Readiness Assessment – A SOC 2 readiness assessment is an engagement performed by a CPA firm or consultant before an actual SOC 2 engagement. The readiness assessment will help clients gauge their preparedness for the SOC 2 examination.  During the readiness assessment, a gap analysis will be performed and the current control environment will be assessed to determine if any control gaps exist. If control gaps exist, recommendations will be provided to assist with remediation. Without a readiness assessment, there is a higher chance of the SOC 2 engagement resulting in significant control exceptions.

During the readiness, your CPA firm should provide guidance and advice about controls that should be implemented in order to meet the SOC 2 criteria and guidance on how to write the system description.

Schneider Downs has created a proprietary catalog of SOC 2 controls.When performing a readiness, we utilize this catalog to help guide our clients through a readiness engagement.Many of our clients find this useful as it provides them an easy-to-understand list of controls to meet the SOC 2 criteria.Without a catalog of controls, the SOC 2 criteria might seem overwhelming and difficult to interpret for your particular business.In addition, we have a SOC 2 system description template that clients can tailor to their specific control environment.If you are interested in these documents, please feel free to reach out to me directly.

  • Engage a CPA Firm with Security Qualifications – When selecting a CPA firm, choose a firm with personnel that hold certifications, such as Certified Information System Security Professional (CISSP) or Certified Information System Auditor (CISA), in addition to CPAs.  Possessing the CISSP and the CISA demonstrates that the firm understands the SOC 2 reporting framework and security risk management strategies. 

 

  • Understand the Role of Your Vendors in Meeting SOC 2 Requirements – Vendors might play an integral part in meeting the security requirements for SOC 2. For instance, if your infrastructure resides in a datacenter owned by a third party, then you would expect your third party to have appropriate physical security controls in place for restricting access to your infrastructure. In order to meet the physical security requirement for SOC 2, you would be relying on the third party’s controls to be operating effectively. When this situation occurs, it is your responsibility to appropriately monitor the operating effectiveness of your third-party controls. If your vendor undergoes a SOC 2 examination, then you can monitor your vendors’ controls by obtaining and reviewing their SOC 2 report. However, if your vendor does not have a SOC 2 report available, then your SOC 2 auditor might have to include the vendor in your SOC 2 engagement and test their controls as part of the SOC 2 report. Understanding what will be required from your vendor and communicating what will be required from them, if anything, will enable a more efficient examination process.

 

  • Maintain a Culture of Internal Control – To be successful, organizations must realize that maintaining a culture of internal control and security is a top-down mindset. Controls must be implemented with the idea that the controls will be operating continuously, unless changes in the environment require controls to be modified. SOC 2 examinations cover a continuous period of time without any gaps. To show your customers that you prioritize protecting their data, you must ensure that everyone in your organization commits to security as part of their job responsibilities.

 

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
IPE 101 – Assessing Management IPE Controls and Report Risks
IPE 101 – Differentiating Populations and Key Reports
IPE 101 – Defining and Understanding Information Produced by Entity
SEC Adopts Final Climate Disclosure Rules
Understanding SOC Report Opinions
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×