Thinking of engaging a SOC 2 auditor? Good thinking. Successful completion of a SOC 2 audit carries a great deal of credibility, especially for small organizations seeking to do business with large enterprises. Heading into your SOC 2 audit (and in fact, before you engage an auditor) you should have a SOC 2 compliance checklist in mind. That checklist should contain the things that you believe you will need to demonstrate to the auditor.
A common misperception is that the SOC 2 process is designed to help you implement additional controls and processes. Not so. The SOC 2 audit is designed to evaluate your organization's practices, on the premise that you already have the controls and processes in place.
SOC 2 Compliance Checklist In AICPA's Words
If you haven't yet reviewed AICPA's Information for Service Organization Management, it's worth a look. A place you might consider flipping to first, is the section called Management Responsibilities In a SOC 2 Examination Prior to Engaging the Service Auditor. We'll state it more plainly, here: if you are considering seeking a SOC 2 audit for your organization, there are some prerequisite steps that you need to handle first.
There are two quotes that we think are particularly revealing (although verbose), about your obligations prior to engaging an auditor. You should, as a pre-requsiite, take care of:
"Specifying the principal system requirements related to commitments made to business partners"
"Designing, implementing, operating, monitoring and documenting controls that are suitably designed and, in a type 2 examination, operating effectively to provide reasonable assurance of achieving the service organization’s service commitments and system requirements based on the applicable trust services criteria"
We'll dive deeper into what that means, next.
Commitments Made to Business Partners
Have you made any commitments to business partners? It'd be hard to say you haven't. Surely you are, at a minimum, on one or the other side in a Terms of Service agreement. More likely you are also committed to a few Master Service Agreements (MSAs). And we'll bet that you've also answered a few enterprise security questionnaires that were incorporated by reference into a broader agreement with a customer or partner. Hopefully you've been keeping up with those commitments, but if you haven't, the time to catch up is now. Before engaging an auditor. Because it's sure to come up in the audit, and that's not good for anyone (especially you).
Designing, Implementing, Operating, Monitoring, and Documenting Controls
Remember what "controls" are? If you need a brief refresher, we wrote recently about some of the controls that are called for in organizations that are subject to FedRAMP -- so feel free to check out our thoughts about password-based authentication here. That's a great example of a control that everyone can relate to.
So, is it enough to have a list of controls in hand, to be able to hand to the auditor? No. You have to:
That's the level of maturity that SOC 2 expects of your controls. That's your checklist for controls that you anticipate being "in scope" for your audit.
SOC 2 Compliance Checklist: Getting Real
Suppose that one of your controls involves annual security awareness training for each of your employees. Here are some practical examples about how to think of the above checklist, as it relates to that particular control:
Design: what's the nature of the training session that employees will be required to participate in, and what's the cadence of the training?
Implement: has the training actually occurred, or has it only been "planned"?
Operate: is the training truly in operation -- are current employees trained, are new employees promptly trained when they join the organization?
Monitor: are you able to demonstrate that your employees are abiding by the control? Do you have a dashboard or log?
Document: is there a place to point an auditor to demonstrate the nature of the training, the fact that employees are indeed complying to the requirements, and that someone is monitoring for anyone that isn't complying?
If this sounds like a pain, it certainly is when you "go it alone" -- working through dozens or hundreds of controls, and handling the above checklist all with home-built systems such as excel spreadsheets, manually-edited policy documents, etc. Want help working through this checklist across dozens (or hundreds) of controls? We're standing by.