Basics of a SOC 2 audit

As your organisation grows through the many phases of business, you'll experience the need to have a SOC 2 Audit as a way to prove to other companies and prospective clients that your firm is well secure and follows the mandatory security practices.

The SOC 2 audit is surely the best way to do so; however, it can be a little bit confusing as to where you need to start, how much investment would be required, and what is the process for it. Lucky for you, we're here with a guide on all the basics of SOC 2 Audit.

Understanding what a SOC 2 audit is

The SOC 2, also known as Systems and Organisations Controls 2, is an audit process that focuses on measuring and analysing if your company can successfully manage the client's data and information.

Developed by the American Institute of Certified Public Accountants, SOC 2 is concentrated on studying information systems for security purposes. As a part of the process, you are required to hire a CPA who acts as an auditor to review your SOC 2 report.

SOC 2's compliance requirement consists of five trust principles:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

Do you need to necessarily get yourself audited across all trust principles? That decision really depends on you, since AICPA allows you to identify what controls are most relevant to you. Your audit would only cover the trust principles that you choose to get yourself audited for, based on a thorough evaluation of your environment. In several cases, organisations cover three trust principles to begin with - Security, Availability and Confidentiality.

But what is in the report? The SOC 2 report is a document that carries all the information collected based on the trust service principles that apply to your company.

There are a few types of opinions the auditor may offer:

Unmodified opinion, without exceptions

No material inaccuracies or flaws in systems. This is your goal.

Unmodified opinion, with some exceptions

With such a report, you are still SOC 2 compliant, but there are items that need remediation. The company's management will have the option of

Qualified opinion

There are material misstatements in system control descriptions, but they're limited to specific areas.

Adverse opinion

There is sufficient evidence that there are material inaccuracies in your controls' description and weaknesses in design and operational effectiveness.

Hence, all in all, the SOC 2 Audit is a way to prove you are following the security measures and handling customers' data in a professional manner.

Difference between SOC 2 Type I and Type II

Before stepping into the SOC 2 compliance process, you must decide what type of SOC 2 audit you want for your company. There are two types:

Type 1 is a fast audit that can be completed within a day. It is a document that describes your understanding of security controls and that you are working on implementing them to become information security compliance. You can only receive the Type I audit once.

Type 2 is a more in-depth version of Type 1. It takes place over the course of 6-12 months and is required to be renewed every year once issued. Unlike Type 1, which only describes the security controls and their implementation, Type 2 is responsible for studying their operational effectiveness. Auditors generally gather evidence from your systems and measure them against the security principles to attest whether you are compliant or not.

As a company owner, you may want to consider getting a Type 2 report since it gives the message that you're continually working on security and compliance to prospective clients and partners. It is also more long-term and sustainable.

Who is responsible for administering the SOC 2

Achieving SOC 2 Audit compliance means working with a set of people and engaging in multiple processes. This article will help you understand who you need to work with, both internally and externally, as a part of your process to become SOC 2 compliant.

An authorised CPA or certified public accountant must be the person responsible for reviewing your SOC 2 compliance report rather than any IT specialist because they have the required credentials to do so. It is mandatory that you delegate the procedure of checking for compliance to an independent external auditor or third-party CPA firm to ensure validity and certification.

What happens during the SOC 2 Compliance procedure?

To speed things up for you, we're here to help you know what exactly happens once you start the SOC 2 Compliance audit procedure.

Firstly, the auditor you hire will want to set up a time frame with you to ensure that both of you are on the same page. Following this, they will relay to you the necessary information about what to expect and how the process will move forward.

Secondly, they will require information from you about the security applications already in place and other similar questions. Once you provide them with that information, the process will move forward and will include the following steps.

1. Security questionnaire
   If you are hiring a reputed CPA firm for your compliance procedure, then they'd most likely begin by administering a security questionnaire to you and your employees. This security questionnaire will consist of questions regarding your company's security, IT policy, infrastructure, and other controls. Ensuring your team answers the questions confidently is vital to get compliance. It is also one of the reasons why many firms engage in employee training while hiring new employees.
2. Collecting evidence for security controls
   The next step following the questionnaire is collecting data and evidence. Your team will be required to provide information on the controls aforementioned in the data. Every policy and internal control systems need to be evidenced as a part of this process. The auditors use this information to compare if the functions are effective in comparison to the trust principles.
3. Evaluation
   The third step is evaluation, within which the auditor might question every step of your SOC 2 audit scope to understand the operations.
4. Follow up with security questions
   You must already know that getting SOC 2 audit compliance is intensive, and it will include an array of follow-up questions. Despite the preparations you undertake, the auditor will uncover serious security issues and will look to you to resolve the questions that follow. There could be either minimal compliance gaps that the auditor can ask you to fill in before proceeding for audit compliance or major compliance gaps that will delay your audit perusal. Every visit is also documented by the auditor as a way of evidence.
5. SOC 2 report
   The last step that means you're nearing the end of achieving SOC 2 compliance is the SOC 2 report. This is issued by the auditing firm and mainly consists of the auditor's opinion regarding the effectiveness of your established internal controls. It is only considered effective if the auditor has reputable standing regarding compliance with CPA firms.

Cost and time taken in SOC 2 audit procedure

Trust Services Criteria you choose to be compliant for, and other such factors. That said, you can expect to spend somewhere between $30,000 to $70,000 on the entire SOC 2 audit compliance process.

Most of these costs will be spent getting a reputed auditor and consultant's services to perform risk assessments, and audit readiness along with services like writing the report. You can reduce a lot of these amounts by choosing to automate the SOC 2 compliance process using automated compliance software.

The costs associated with an audit are usually not inclusive of the indirect costs like employee training, time, and efforts spent on the process. You can read more about the Cost of a SOC 2 Audit here. (add an internal link for blog)

You can determine an approximate cost of the SOC 2 Audit by going through the preparatory steps that we've mentioned in detail in the next part.

Important steps to prepare for and pass the SOC 2 audit process

Preparation for SOC 2 audit compliance is as important as the completion of the report if you want to save time and money. Going into the procedure unprepared can cost you more harm than good. So, these are the following steps you must follow!

1. Set clear objectives after audit scope: Selecting the Type of Audit comes under the umbrella of audit scope along with setting clear objectives for data, people, processes, and risk management. You can either choose between SOC 2 Type I or Type II depending on the nature of the organization, along with the time and money you want to spend. If you want a detailed report that will bring in more business over time, go for Type II but if you want to save resources and only want a description stating you have security controls in place, go for Type I.
2. Select the relevant Trust Service Criteria (TSC): Once the scope and objectives are set, you can move onto the next prep stage: se; acting trust service principles. For those of you who are unaware of what Trust Service Criteria is, know that these are the standards stated by the AICPA to assess the security controls of a company. If you're not comfortable picking all five principles, select the ones that are most relevant to your organization and invest in them. You can go ahead with all five as well; just remember that the cost and investment increase with each added principle. The five service criteria that combine to make up the trust service principles are:
   1. Security: Protecting data against unauthorised access or disclosure/handling of information
   2. Availability: Information about available systems and their effectiveness.
   3. Processing integrity: Determining whether your systems are performing their functions validly and regularly to meet your organisational objectives.
   4. Confidentiality: Collecting, using, and disposing of non-personal data and information properly.
   5. Privacy: Collecting, using, and disposing of personal data and information properly.
3. Perform readiness assessment: A readiness assessment is the preparation of the performance before the actual performance. So, in the case of a SOC 2 audit, it includes running a security check with an auditor to gain an idea and documenting all the systems, processes, and controls. Since these would also be in your official audit, the assessment produces some critical results that show you exactly where in your systems or controls you need to work. All in all, readiness assessment can help you know where the auditor will look at in the final SOC 2 audit process and how strong is your company's management.
4. Run a gap analysis: Just running an assessment would not take you anywhere if you don't actually act on it before proceeding with the SOC 2 Audit. This is where the Gap analysis comes in. This involves comparing the notes you receive through the readiness assessment and then objectively aiming to fill the gaps by comparing them against the trust service principles. You can choose to conduct this analysis internally, but it may not provide you as objective and fruitful results as an external firm would. It may be another financial spend, but it will take you a step closer to SOC 2 audit. Here is what all you can do as a part of gap analysis before moving forward for an actual audit:
   1. Management training
   2. Implementation of security controls
   3. Interviewing management
   4. Better documentation of systems and processes
   5. Connecting company-wide workflow
5. Conduct a final assessment of the report: Eliminating the weaknesses after the readiness assessment can mean only one thing: conducting a final assessment. Once you are sure that you've covered all areas necessary for SOC compliance and filled the gaps, then you can apply for a formal SOC 2 audit. Now we can just hope that you end up getting a SOC 2 report with an unmodified opinion of every relevant trust service principle! This brings us to an end on the basics of a SOC 2 audit. Everything from the procedure to preparation has been covered, and we hope you're now equipped with the knowledge you need before pursuing audit compliance.

Start your compliance process with us!

Scrut Automation is an innovative and radically simple governance, risk, and compliance automation platform for growing startups and mid-market enterprises. With Scrut, compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, HIPAA, and CCPA. Schedule your demo today to see how it works.