What are SOC reports?
A service organization controls (SOC) 2 report is a way to verify that an organization follows specific best practices related to protecting their client's data before outsourcing a business function to that organization. A SOC 2 report is issued after a third-party auditor thoroughly examines an organization to verify security, availability, processing integrity, confidentiality, and privacy controls.
To receive a SOC 2 report, the organization must undergo a SOC 2 audit to be evaluated on Trust Service Criteria (TSC) as defined by AICPA.
Only an AICPA-certified third-party organization can conduct a SOC 2 audit. Any organization looking to get a SOC 2 report for fortifying their compliance, building customer trust, and boosting sales must, in turn, engage with an independent SOC 2 auditor or a firm for a SOC 2 Type 1 or Type 2 report. In addition to the final audit, the 'right' auditor will also do a pre-audit to identify gaps, so you can streamline the process and be final audit-ready. It will also help you build a robust action plan to remediate the gaps and improve your infosec posture.
Here's what you should look at while choosing an auditor to work with, according to Scrut's team:
The Big 4, namely PwC, Ernst & Young, Deloitte, and KPMG come to mind when we think of security audits. They are known in the industry for their decades of experience in conducting information security audits across F2000 companies. While the Big 4 audits are the industry gold standard, it gets quite expensive for most small and mid-size enterprises (SMEs) to consider. There are many good auditing firms that are affordable to choose from. Here are a few questions you should ask your prospective CPA firm before you proceed further:
How are you different from other auditing firms?
How's your auditing team's quality of service and responsiveness?
How often does your team miss the timelines during an auditing process? What steps do you take to mitigate such delays?
Have you ever over-promised and under-delivered? If yes, Why?
Experience goes in concert with reputation, and that's why the organization should look at the CPA firm's expertise before engaging in a SOC 2 audit. Statistics on a website can look exciting - but they are meaningless unless contextualized. Get in touch with the firm and check if they have performed similar SOC 2 audits and assessments and if they have worked with similar size companies in the same industry. It gets easier for you if the auditor has experience auditing similar companies.
Thumb rule, always ask these four questions to take the discussion forward:
What other assessments or certifications do you conduct?
It's easy to get the certifications done from one auditor. Switching auditors for each certification will cost you time and money.
From which industry do your customers come from?
Every auditor cannot be an expert in every domain. Choose an auditor who has experience in your industry, particularly with companies of a similar scale.
What all languages does your team speak?
Make sure the auditing team understands the language your team speaks. Work gets easy if you "hit it off" with the auditor in terms of language.
Is your auditing firm aligned on the mechanics of the audit and evidence-sharing methods?
Ensure you work with an auditor who knows how to extract information from various repositories relevant to you. This will help you save time and effort and accelerate your audit process.
3. Communication style
It's always important to choose an auditing firm that matches your communication style. There are plenty of auditing firms that deliver excellent work and match your financial goals, but all of that goes in vain when there's miscommunication. And this, in turn, fritters away your time, effort, and money.
4. Knowledge of tech stack
Test the auditor on their knowledge and understanding of your tech stack. If you start talking about your tech stack and they don't seem to know what you're talking about, run! You want an audit firm that understands the tools you use because this will enable them to test the controls comprehensively and help you collect the right evidence with reduced effort.
If you are tight on budget, you can choose a CPA firm that matches your financial goals. That being said, low costs often are accompanied by hidden, more often than not, substantial costs. If the low-cost auditor can't adhere to the timelines for the audit, critical for a customer sale, it might lead to lost sales. This, in turn, will exponentially increase the costs associated. Similarly, if it comes at the cost of the lack of handholding support that most startups need - the price difference will probably not be worth it.
We know SOC 2 can be expensive, and it takes a lot of work to get the audit done. But at least you won't suffer the agony of buyer's remorse as long as you spend enough time to find the right auditor and have the right budget aside.
Thumb rule, know how they approach the process. Try and understand how the auditor will execute the audit and how the auditor will interpret the policies and controls.
How will the auditor execute the audit?
The complexity of a SOC 2 audit is highly dependent on the auditor's execution process. This includes, but is not limited to, how the auditor manages the audit progress, submits evidence requests, and collects them. Few auditors use spreadsheets and emails to manage the entire audit process, while the other few use automated tools like Scrut to manage the audit process.
How will the auditor interpret the policies and controls?
SOC 2 audits, without a doubt, have complex controls and guidelines, particularly so for an engineering team not specializing in security. They are also descriptive rather than prescriptive in nature. As a result, no two auditors will interpret them the same way. For example, a few SOC 2 auditors will have a specific way of collecting and analyzing evidence artifacts, while others will be more flexible with what you already have and accept the documents and evidence you submit by mapping it to the SOC 2 controls.
So it's better to ask your auditor how they would collect evidence from you to gauge the level of effort needed from your team.
7. Team availability and escalation SLA
Last but not least and most important, check if the auditing team has enough resources to process the audit. It's very likely that the auditing team won't solely work for you at a given time. To minimize the bill of goods, make sure you ask the auditing firm the below questions:
What's your average SLA on response time?
How is your escalation process? Do you have a dedicated auditor, and how responsive are they?
How much experience does your dedicated auditing team have on SOC 2 audits?
Tips and tricks
Here are a few tips and tricks to help you navigate the auditor selection process:
Talk to at least four prospective auditors to get an idea of who best fits your needs.
Evaluate your auditors based on reputation, experience, communication, price, and approach.
It's always good to have a few references calls with customers your auditors have served, similar to you in terms of industry and size.
Speak with the dedicated account lead who will be driving the audit for your organization.
Scrut Automation is a one-stop shop for compliance. Our software provides the fastest solution for achieving and maintaining SOC 2 compliance, making it an ideal choice for busy startups.
Schedule your demo today to see how it works.