SOC 2 Type 2 Guide: The SOC 2 Audit Process - Part 2
This includes knowing which systems are in scope for the audit, developing policies and procedures, and putting new security controls in place to reduce risks.
When ready, an organization will engage the service of a licensed CPA auditor to carry out the audit. The real process involves scoping, artifact document collection, and an on-site visit. The time commitment is usually several hours of introductory phone conversations and two days in-person in the office. While in the office, the auditor will carry out interviews and review the material submitted. When starting to scope a SOC 2 audit, there are some key decisions that will need to be made ahead. First, what type of audit do you want; Type I or Type II?
A lot of newbies may find this terminology confusing - so many numbers and Roman numerals thrown around.
Here’s a simple way to remember:
S = SCOPE,
T = TIME.
SOC 1 = Financial Scope.
SOC 2 = Information Security Scope.
Type I = At a single point in time.
Type II = Over the past 6 months.
Make SOC 2 work in your favour
If the decision about choosing a SaaS provider comes down to you and a competitor, having SOC 2 Type II compliance will boost your chances of being the preferred choice. Placing emphasis on the fact that you are SOC 2 compliant and stating the type of audit can be a game changer, especially as companies that know better will look for Type II.
Eighty-eight percent of consumers research their options online before making a purchase, so make sure you remember to highlight your SOC 2 compliance on your website.
For example, Intercom has a page on their website set aside for their security measures, which has details of their SOC 2 compliance.
So, like Intercom, when you get your SOC 2 Type II report, add the following information to your website:
- Highlight which of the five trust-service principles you adhere to
- For each principle, state a summary of the procedures you went through internally
- Provide the contact information for your security team so customers know where to go for additional information
Since about 77% of the U.S. population have a social media account, go a step further by sharing your SOC 2 status on platforms such as Twitter and Facebook. That way, as your potential customers research their options on platforms where they spend most of their time, your announcement gets noticed and it invites them in to get more information about your data-security standards.
Be creative in the way you share your compliance. You want it to be seen by your audience, so research where they spend the most time online and place it there for them to see. Your promotion strategy should therefore include industry platforms and social media.
How to get started in getting SOC 2-compliant
Meeting the needs of customers is crucial to your success, so use their insights to make sure your SOC 2 compliance is relevant to them.
There are several ways to know the needs of customers. Here are a few examples to try:
Review follower comments on social media. Use your Facebook business page to see the types of comments your audience leaves on posts, the types of content they share on your page and their own, and the type of positive or negative feedback they leave.
- Review the kinds of questions or queries customers share with your support team. Customers contact support for specific reasons, like when they come across an issue or discover a feature doesn’t work as it should, or if they’re not satisfied with the service as a whole. Make use of this feedback to understand how you can better serve them.
- Send emails of short surveys based on the above to further narrow down your customer needs. Make use of multiple-choice questions and follow it up with open-ended questions so customers can provide the reason for their choices.
- Make use of your website’s lead-generating forms to understand the needs of your customers. When leads provide their names and email addresses, use the confirmation screen to quickly ask a multiple-choice question. State the top four or five needs most customers have, and ask new leads to mention which one they consider most important.
- Carry out a feature value analysis. Examine how customers make use of your product to see the features that are most important to them. The way customers use your product will tell you how best you can support them.
- Gather and analyze the data from your findings to better understand what your target audience and customers need the most. Add this insight to your procedures and choose the principles to concentrate on.
Audit regularly to ensure SOC 2 principles are met consistently
As technology continues to evolve and threats—both known and unknown—continue to increase as well, it’s important to carry out regular audits of the principles your business focus on.
Let’s take Auth0 as an example once again; they’re always deploying new releases—about three to four times in a day. The implication of that is that they have processes in place to track each of the releases. To adhere to the procedures they committed to in the Security principle of their SOC 2 Type II report, Auth0 requires that another team member approve updates before moving anything from staging to production.
Also, Auth0 continues to run three types of tests—function, function, and HTTP—to make sure the code, user interface, and APIs are operating as they should. And since these tests are done using Slack integrations, there’s also a historical log of what had run, and when.
When you come up with policies and procedures for your SOC 2 Type II report and audit, use the following questions as a guide. Bear in mind that these questions are applicable to all principles:
- What parameters do you have to determine if there’s a real threat that needs you to take action and resolve?
- Who is notified first, and what will they do?
- How do you define what’s normal for your cloud storage environment?
- What types of threats are there on cloud environments?
- When are customers made aware of the issue?
- What kinds of information will you send customers?
- How often will you communicate with customers as the issue is being resolved?
- How will you share information with customers (visa email, text, or social)?
- Where is documentation stored?
- Is it easily accessible for review by anyone on the team?
- Is there a place for customers to track your change log?
The answers provided to such questions as these lay the foundation for your SOC 2 report and help you look forward to and plan for threats.
Preparation for your audit
There are four steps to take as you get ready for your audit:
- Determine the objectives of the audit. Here, you figure out what type of audit you need: whether it would be SOC 2 Type I or Type II. If you just want to test that the procedures you currently have are developed properly, get a Type I audit. However, if you want to go further and test whether your procedures operate the way you’ve developed them to over a period of time, get a Type II audit.
- Concerns on address. Depending on your niche or industry, read up on the relevant local, state or federal regulations, policies and rules. Here, the goal is to show in your documentation that you’re aware of the laws governing how your business operates and have accounted for them.
- Have documentation for the process. Write down every important detail of the processes and procedures followed, as your documentation would be used by CPAs to determine that you’re ready for SOC 2 certification. Start with the 11 questions above for creating your procedures guides.
- Test your readiness for the actual audit. Look at every section of your documentation to be sure you’re prepared for any threats that may come up. This dry run also gives you an opportunity to spot issues and resolve them before the actual audit.
Between the two types of SOC 2 compliance audits, SOC 2 Type II usually takes more time. Begin your preparation months before your scheduled audit to give yourself adequate time to find and fix issues, and to make sure that your procedures fully support your principles. Take time to find opportunities to step up on security, upgrade documentation, and let your team know about the updates.
Five SOC 2 traps to avoid
While preparing for your SOC 2 audit, here are five traps to be careful of:
1. Scoping poorly the audit report to set the boundaries and services of the data system.
A critical mistake most companies make is forgetting to specifically define which services will be used or removed from the system that’s defined in the SOC 2 report.
2. Insufficient documentation on the major internal controls that are in scope
It’s important that the company management or the CTO come up with a description of the main internal controls of a system. This should sufficiently explain the following:
- The design of the system
- The infrastructure of the system
- The software used by the system
- Data and information used by the system
3. Beginning the audit test without conducting a readiness assessment
Starting the SOC 2 compliance audit before your organization is ready will result in a lengthy audit process. Time will be wasted and that will cost the company. Make sure you request for a readiness assessment from your audit partner. This will open up issues and help you resolve them before the SOC 2 audit.
4. Not clearly setting audit boundaries between your company’s environment and third parties
Most companies make use of external vendors to perform services. An example is a cloud service provider. You should make sure to separate compliance within their company and within their service provider.
5. Not consolidating your different compliance requirements into one SOC report.
Don’t miss the opportunity to consolidate other compliance requirements into your SOC report. SOC 2 reports can include related subject matter, an approach that can reduce your costs and resource efforts.
Data security is the key to business success. Companies like Intercom and Auth0 have demonstrated the value of SOC 2 compliance. While all of their growth and success isn’t purely a result of the certification, it’s played a role in helping them attract large enterprise businesses. SMB and enterprises that rely on your services need to be confident that you are prepared for security threats. These customers are more likely to choose you and refer you to their network.
When is best to Consider SOC 2 Compliance?
It’s a good idea to consider becoming SOC 2 compliant early in your company’s journey if you know you are going to be selling technological services to enterprises and will be storing and/or accessing sensitive customer data of any sort.
While it can be challenging to undertake a SOC 2 compliance exercise while you are small and under-resourced, it can actually be even harder to do once you grow larger. The larger your company is and the further along you are in your growth, the harder it is to change culture, processes, tools, and more.
When you are smaller, you may not have an IT or security owner, but as soon as you do hire someone in a role like that, you may want to begin thinking about preparing for SOC 2 compliance. Sooner is better, since it will help you integrate the processes and controls into your team’s culture from the get-go. In fact, the team at Blissfully decided to become SOC 2 compliant quite early in our journey.