SOC 2 Compliance Checklist #Fails

We've seen many attempts at a SOC 2 compliance checklist over the past few years as more and more companies have become interested in obtaining a SOC 2 audit report. Unfortunately, there are fundamental flaws that we routinely see in these types of checklists. Today we'll dive into the the flaws to watch out for -- ones that could lead to extreme frustration if you were to complete a SOC 2 compliance checklist and later discover (with an auditor present) that you are far from ready for a SOC 2 audit.  Here's the scoop.

1. No Basis in Trust Services Criteria

Every SOC 2 audit engagement should begin with an agreement on scope, aligned with categories defined in the Trust Services Criteria:

1. Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives.
2. Availability:  Information and systems are available for operation and use to meet the entity’s objectives.
3. Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
4. Confidentiality: Information designated as confidential is protected to meet the entity’s objectives
5. Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.

If the audit will have a scope, so should any checklist that you consider using to improve your readiness for an audit. A one-size-fits-all checklist is a sure path to a mismatch in scope -- if your checklist only covered Security and Availability, but your eventual audit also covered Confidentiality, there is little chance that your organization is adequately prepared for the audit.

2. No Evaluation of Your Customer Commitments

The word "commitment" has a very specific meaning in the context of SOC 2. Here's the definition from AICPA that you should have in mind:

Declarations made by management to customers regarding the performance of one or more systems that provide services or products. Commitments can be communicated in written individualized agreements, standardized contracts, service level agreements, or published statements (for example, a security practices statement). A commitment may relate to one or more trust services categories. Commitments may be made on many different aspects of the service being provided or the product, production, manufacturing, or distribution specifications.

A recurring theme that you should expect in your SOC 2 audit is around what commitments you've made (to customers, partners, etc), and what policies, processes, systems, etc., you are bringing to bear to ensure that you are fulfilling those commitments. Therefore, if you are following a SOC 2 compliance checklist, you'll want to keep an eye out for whether/not the checklist seems to have a concept of factoring in (somehow) your customer commitments. That's a fundamental basis for much of the activity that will occur in the audit.

For example, if your SOC 2 audit includes the Availability criteria, you'll likely find yourself supplying evidence about the SLA (service level agreement - often characterized in terms of uptime percentage) commitments that you made to customers. Have you been committing to 99% uptime with clients? Was there "that one agreement" where you committed to 99.99% uptime? Does your standard terms of use document commit to 99.5% uptime?  Whatever the case, an important part of a SOC 2 audit is the process of determining precisely what commitments you've made.  That's a prerequisite to examining the programs you have put in place to ensure that you deliver on those commitments.

3. No Consideration of the Common Criteria

If you aren't familiar with the Common Criteria for evaluating the effectiveness of controls, you are in good company. Few companies that embark on their first-ever SOC 2 audit have a familiarity with the Common Criteria. The reason we mention them, though, is that if your checklist fails to surface topics related to the Common Criteria there is a very good chance that your SOC 2 compliance checklist is flawed. Here are the Common Criteria sections defined by AICPA:

• The control environment (CC1 series)
• Communication and information (CC2 series)
• Risk assessment (CC3 series)
• Monitoring of controls (CC4 series)
• Control activities related to the design and implementation of controls (CC5 series)

Notice how these criteria extend far beyond the question of whether you are meeting your customer commitments. The SOC 2 audit process is designed to examine not only the controls themselves, but the process by which the controls are designed, assessed, communicated, and monitored. Your SOC 2 compliance checklist isn't complete without a broad consideration of these factors.

Wrapping Up: SOC 2 Compliance Checklist #Fails

There are quite a few checklists circulating, each of which claim to be a path to prepare for a successful SOC 2 audit. We've yet to see a perfect one, and perhaps that's fine: a checklist that moves you on your way towards a stronger chance of a successful audit is helpful. However, you should evaluate any checklist that you are considering -- by squaring it up with the above factors. By doing so, you'll get a strong sense for how thorough and complete your SOC 2 compliance checklist is. That's what will set your expectations about the extent to which the checklist is actually sufficient to prepare for a SOC 2 examination. Need a hand working through your company's particular situation? Drop us a line, we're glad to help.