This article was updated July 1, 2022.
As rapidly changing IT systems introduce new security concerns, System and Organization Control (SOC) 2 examinations, or SOC 2 audits, are increasingly important for service organizations.
While these SOC 2 audits can be extensive and often time consuming, they address IT and operational risk as well as instill customer confidence in security, availability, processing, confidentiality, and privacy policies and practices.
Following are some key ways your company can improve its SOC 2 audit report to increase credibility, get more out of the exercise, and stay competitive.
SOC Audits Allow You to Assess Your Control Environment
SOC 2 audits can help customers gain confidence in your company’s control environment while it’s assessed against the American Institute of Certified Public Accountants’ (AICPA) SOC 2 criteria.
The SOC report attests to the design and operating effectiveness of your company’s internal controls over one or more chosen categories, outlined below. The design and operating effectiveness of key internal controls are examined, and the auditor issues an opinion. This in turn offers your customers insight into the design and effectiveness of your internal controls.
AICPA Defined Categories
- Security. Controls over physical and logical access as well as incident handling, system monitoring, and network security.
- Availability. Controls over monitoring availability of information and systems, backups and restoration testing, disaster recovery, and business continuity planning.
- Processing integrity. Controls to verify the data processed is complete, valid, accurate, and timely; may be in the form of key reports.
- Confidentiality. Controls protecting data designated as sensitive or confidential, which is especially relevant in multi-tenant environments.
- Privacy. Controls over privacy, especially relevant for environments that deal with personally identifiable information (PII) or protected health information (PHI).
Who Needs a SOC 2 Audit?
SOC audits have become an expected standard for all service organizations that interact with or operate as vendors that store, process, or maintain client data.
CISOs, CFOs, and auditors rely on SOC 2 audits to gain comfort and valuable insight over the internal controls of critical vendors and service providers.
Regardless of your company’s line of services—from Software as a Service (SaaS) to Intelligent Autonomous Systems (IAS)—if it has ongoing interactions with customer data or third-party providers, those vendors will likely need an annual SOC 2 report. This helps them remain competitive in the marketplace and to forego the numerous vendor audit and security questionnaires.
Consistent SOC 2 audits not only help keep your company safe, but they can also help potential customers, business partners, or buyers gain comfort over the soundness of the system of internal controls. This can help your company’s credibility and competitive edge in the market, increasing consumer confidence.
Improve Your Outcome
Adequate preparation can greatly reduce associated stressors of undergoing a SOC 2 audit and improve your outcome. Preparation falls within three key steps.
1. Understand the Timeline
The timing associated with SOC 2 testing varies based on a company’s controls and preparation, as well as timing preferences based on customer demand or business cycles.
Companies should begin preparing for their SOC 2 compliance report with their service auditor two to three months before the examination fieldwork takes place. In addition, be in contact with your auditor at least quarterly to discuss system changes, updates, or significant events.
SOC 2 Fieldwork
Only the fieldwork portions take place onsite. Length of time for fieldwork will vary based on the selected categories and size of a company’s control set.
Time to complete fieldwork is based on the number of controls. Here’s a rough estimate:
-
Small control set—one to two weeks
-
Medium control set—two to three weeks
-
Large control set—three to four weeks
2. Perform Ongoing Analysis
Last-minute discoveries can derail the best-laid plans.
Timing delays and control failures can often result in a SOC 2 audit taking longer than initially estimated and may result in control failures. However, there are steps your company can take on an ongoing basis to prevent or address these potential issues.
How to Combat SOC 2 Delays
-
Monitor your internal controls on an ongoing basis. Create a team of professionals in charge of consistently monitoring controls, collecting relevant evidence, and addressing unintended changes or threats if they occur.
-
Enable configuration-change notifications. In the event of a change in your company’s control environment due to an error or fraud, immediate notifications to your service auditor can help your company prevent or reduce damage.
-
Apply consistent technology across all locations. This allows different locations to exchange data and information with fewer compatibility errors or mistakes.
-
Stay up-to-date with technology upgrades. Your infrastructure can become vulnerable as technology becomes outdated. It’s important to update your systems with software upgrades and adopt new technology systems as cyberthreats evolve.
-
Document system changes. With a SOC 2, evidence of controls operating during the full examination period will be expected. Discuss significant system changes, updates, or entity level changes with your service auditor to understand the expected evidence to retain before and after the significant event.
3. Look Externally
Maintaining controls throughout the year can be challenging for all companies, but it presents particular challenges for the following companies:
-
Small companies that don’t have designated compliance personnel or can’t maintain the appropriate segregation of duties
-
Businesses that recently experienced a merger or acquisition, or other material changes to the control environment
-
Large businesses that have a difficult time designating professionals for their ongoing monitoring team
In these instances, companies can benefit from outsourced services.
While your service auditor must remain independent in their approach, they can assist management through complementary consulting engagements. These may consist of readiness assessments in which the examiner can help identify and map the control activities to the AICPA’s prescriptive criteria.
The service audit can also leverage their understanding of management’s processes and environment to help management craft the system narrative, which is often a stumbling block for first-time examinees.
We’re Here to Help
With adequate resources and preparation, your SOC 2 report can support your company’s reputation and help better position it for success. To learn more about how to prepare for and improve your next SOC 2 report—or for assistance with another type of SOC report—contact your Moss Adams professional.