Security audits can be a real eye opener. As a company built on helping small and medium businesses prepare for their SOC 2 audits, we know from experience that many companies are completely blindsided by what an audit can bring out. This can happen not just during your first SOC 2 audit, but also if you change auditors. Luckily, you can prepare for these issues with a little foresight. Here are some tips for preparing for your first SOC 2 audit, or an SOC 2 audit with a new auditor.
Understand the pre-audit timeline
Your audit actually begins well before the auditor begins their onsite visit. Preparing for the SOC 2 audit means having implemented SOC 2 at your organization, obviously. Hopefully this will mean that you’ve outlined your controls and how you’re meeting SOC 2 criteria. In fact, having all of these lists in place should inform who you choose to perform the audit (see below).
In preparing for an actual audit, you’ll need to assemble your internal SOC 2 project team, understand the scope of the project, and assign responsibilities, well before you determine which auditor you want to go with. You’ll also need to perform gap analysis and remediate any control deficiencies in preparation for the audit. All of this preparation has to take place well before the auditor steps foot on your premises. You may need a consultant to help with all of this, which is completely normal.
Develop and identify your own controls based on the Points of Focus as early as possible
One way to be better prepared is to define your control list as soon as you possibly can. SOC 2 provides example controls, but the auditor will look to you and ask what your controls are in order to determine if you’re meeting the criteria. The auditor will work to guarantee that you meet any given criteria outlined in SOC2, and to do that, they’ll look at the Points of Focus. They’ll excuse irrelevant points of focus (for instance, remote companies may not need physical security), but anything else must be met with some type of control.
The auditors will use your control list to make their request list, and will usually ask for your list about a month before the end of the audit. However, it’s a good idea to share your company’s control list with your auditor before the audit begins to ask if it throws off any red flags for them so you can prepare for those questions when they come. In fact, you may even use your control list and the auditor’s reaction to it as a way to determine the flexibility of possible external auditors so you can select an auditor who will be a good fit for your company.
Recognize that you’re going to have disagreements with auditors
Because SOC 2 is less prescriptive than other security standards like PCI or ISO 27001, some of the requirements can be subject to opinion rather than hard and fast benchmarks. While there are common ways to ensure compliance, your methods may be different because of how your organization works. What it all comes down to is understanding your organization’s risks, and being able to explain in full how the controls you’ve put in place mitigate those risks. If you understand the criteria and the Point of Focus as laid out in the SOC 2, you’ll be in a better place to explain to an auditor why you’re doing something differently from industry best practices, or be prepared if an auditor asks you for something you don’t have.
In fact, if you know that your organization has controls in place that are very different from what an auditor might normally expect, you might be better off bringing that up early on in the audit. Even though SOC 2 is extremely flexible, the auditors are probably going to expect that the sample controls set forth in SOC 2 will be in place at your organization. It’s a good idea to ask your auditor for a list of sample illustrative controls that they look for and see if they’re applicable to your company or not, too, so you can be prepared with a response when the time comes.
Recognizing that you’re going to have disagreements can also help you remember that you want to set your tone to be more cooperative than defensive or challenging. Challenging the standard doesn’t usually go well, because it’s the auditor’s job to show that you’re meeting it, whether you agree that it’s necessary or not. Instead, be prepared to explain why the controls you have in place meet the criteria in a different way. Don’t be defensive about your particular controls; instead, be collaborative, and the audit will go much better for everyone.
While an SOC 2 audit can be eye opening, it doesn’t have to be a disaster. Practical Assurance has created a self-service readiness tool available that lays out a number of the expected controls and samples of what an auditor will be looking for. You can get started today for free at https://app.practicalassurance.com/signup.
For more tips on getting through an SOC 2 audit, check out our webinar, Overcoming SOC 2 Roadblocks here.