SOC 2 Type II Compliance: Handling Awkward Conversations and Preparing Your Organization
October 22, 2020
SOC 2 Cyber Security | Enterprise Security Questionnaire
Let’s get two things straight. First, we believe in the ability of SOC 2 Type II to drive positive change in cybersecurity and beyond. In addition, it’s a pain to have someone ask about your level of SOC 2 Type II compliance without having a good answer.
That’s why we’re here. This post will explore what you should do when you receive an inquiry about your compliance from someone like an enterprise customer. Stop reading here if you have an unqualified SOC 2 Type II report. You need a lot more help than we can cover in this blog.
If you’re looking for ways to handle conversations around your SOC 2 preparedness, then we can help with that. Again, our goal is to help you find a way to show your stakeholders and customers that you are ready and willing to protect their information.
What is a SOC 2 Type II Report?
A SOC 2 Type II report captures the safeguards put in place by your organization to protect company data and how well they operate. SOC 2 reports help you review and assess any risks tied to using third-party technology if you're using cloud providers. SOC 2 reports come from third-party auditors and abide by the following principles:
Your SOC 2 reports serve as the primary documents proving your company follows proper security measures to protect customers, per the standards set by the American Institute of Certified Public Accountants (AICPA).
Tips on Responding to SOC 2 Type II Compliance Questions
Below is an overview of steps your institution should take to deal with questions about your SOC 2 readiness. Use these tips to prepare your organization for a potential SOC 2 Type II audit.
1. Compensating Controls
Just because you haven't been through a SOC 2 Type II audit doesn't mean that you don't have many of the controls that would be required by that type of audit. To present a compelling storyline about how you take security seriously (even though you don't have a clean SOC 2 Type II report), we recommend preparing a cohesive explanation that includes:
Policies and plans
A good place to start would be establishing an InfoSec Policy, an Acceptable Use Policy, a Disaster Recovery Policy, and an Employee Handbook. Of course, many other types of policies and plans exist, like a Business Continuity Plan or a Change Management Policy. However, if you’re just getting your policy and plans organized, it’s often easier to tuck some of the lower-priority policies into a targeted set of policy documents.
Make a genuine effort to implement the plans and policies. For real. If you say that every workstation uses encryption at rest, make sure that you've rolled out configuration changes that make that real/truthful.
Even if "rolling out configuration changes" in your organization is as simple as sending everyone instructions for how to enable encryption and asking them to send in a screenshot proving that they've done so. While it’s not an optimal approach, it's better than nothing.
Yes, you heard that right. Take the time to audit yourself. There are two good reasons why you should take this step. First, you'll find out that your team isn't quite as compliant with your policies as you thought. Start figuring out why that’s the case and how to adapt to get closer to 100% compliance.
Second, the process of auditing yourself will teach you what reporting mechanisms you do and don’t have that prove you following established policies. There is an excellent chance that you’ll end up with one or more policy elements for which you can’t verify compliance. Consider it a wake-up call and use the opportunity to put a mechanism in place.
2. Promise an Audit Start Date
Think about providing interested stakeholders or customers with a start date for having a professional firm initiate a formal SOC 2 Type II audit. That way, you can demonstrate you have sound policies and plans in place.
If you do provide an audit date, make sure it fits your current level of preparedness. You don’t want to call in the big guns before you’re ready. Instead, consider making the audit commitment for six or nine months from now, however much time you’ll need to get the organization prepared.
The point is, you work to advance the conversation to a point where both sides acknowledge the reality that you don't currently have a SOC 2 Type II report. Conceptually, both you and the questioner set up a path forward to having one prepared.
Keep in mind that promising a start date is quite different from giving a specific date on having a “clean” report ready. There’s no way to predict that the report will come out issue-free. For that reason, make sure you don’t commit to an outcome that neither you nor the auditor can guarantee.
3. Promise a Report Date
If the questioner needs more than a commitment to an audit start date, provide them with a completion date for your professional SOC 2 Type II audit. At Havoc Shield, we’re very familiar with SOC 2 Type II audits involving a 1-2mo pre-audit period.
The auditor prepares you for the process, including previews of the types of activities that will occur in the audit. During that period, we typically see companies scrambling to prepare based on the knowledge provided by the auditor about their primary focus.
The audit period begins after a company completes the pre-audit preparation, which can take as long as six months. During that time, the auditor will typically be looking for indications about your ability to successfully sustain the controls outlined in your policies and plans.
When companies get into a pinch and need to rapidly engage an auditor, that can speed through the entire process and have a report ready after eight to nine months. Of course, that’s assuming everything goes smoothly.
If you are being pressed to commit to a date for when your audit will be complete, we would highly recommend against promising anything faster than that type of timeframe. Auditors tend to not look favorably on a client that presses them to quickly go through the motions. It’s not an approach we recommend.
4. Promise an Unqualified SOC 2 Type II Opinion
Do some soul searching before you do this. Are you certain that the other party will not accept any of the prior alternatives? Pre-committing to proceeding through an audit for which you have no experience is a bold move, especially if you’re pushed to guarantee that it’s going to come out clean.
When you engage an auditor, they are not required to conclude with an unqualified opinion. In addition, the auditor may uncover behaviors in your company that demonstrate that you cannot sustainably maintain the controls you committed to in your policies and plans.
If that occurs, the auditor has a professional and ethical obligation to surface that issue. There is some discretion in terms of how that issue gets raised, but there is no guarantee that it doesn't end up in your SOC 2 Type II report as a qualification.
If you absolutely must promise a date by which you will cleanly complete a SOC 2 Type II audit, try to buy your organization as much time as possible. Giving yourself a year gives your company enough time to restart if things start rough. At Havoc Shield, we certainly wouldn't recommend putting your reputation on the line for achieving a clean audit report on a timeline that gives you one and only one chance to "be perfect" on the first try.
Getting By Without SOC 2 Type 2 Compliance
Havoc Shield puts a lot of value into SOC 2 Type II compliance. It adds some much-needed checks and balances to claims an organization makes about the quality of its cybersecurity practices. SOC 2 Type II preparedness helps companies find areas of improvement while reducing the risk of falling victim to a cyber attack.
Given all that, Havoc Shield understands the realities faced by many companies, especially small businesses. They may find themselves confronted about their SOC 2 Type II preparedness before having a chance to get their house in order. It takes time, energy, and sufficient resources to get ready for an audit.
While Havoc Shield provided this article as a sort of stopgap to help companies figure out how to engage in productive conversations around cybersecurity compliance, you still need a long-term solution. Schedule time with our team here to learn more about how our SOC 2 products can help you get ready for a SOC 2 audit.