Compliance

SOC 2 Compliance Checklist and Best Practices for an Audit

Tony Luciani|
SOC 2 Compliance Checklist and Best Practices for an Audit

Why Does My Company Need a SOC 2 Report?

There are various types of SOC (System and Organization Controls) reports for service organizations, including SOC 1 for internal control over financial reporting (ICFR) and SOC for Cybersecurity. However, one of the most widely sought-after information security certifications is the SOC 2 report. Governed by the American Institute of Certified Public Accountants (AICPA), SOC 2 reports are intended to meet the needs of businesses that require detailed information and assurance regarding their IT vendors’ controls relevant to security, availability, and processing integrity of the systems used to process users’ data, and the confidentiality and privacy of the information processed by these systems.

Benefits of a SOC 2 Report in Business

If your company provides technical solutions, the first step in earning the trust of customers is certifying your compliance with the AICPA’s Trust Principles through a SOC 2 report. In particular, service organizations benefit from the following advantages of having a SOC 2 report:

  • Peace of mind that your security controls are designed and operating effectively.
  • Ability to efficiently and effectively respond to IT questionnaires from customers and partners.
  • Ability to provide assurance to clients and partners that your business complies with their standards. 
  • Helps win more customers and gain an advantage over competition by creating trust in your company’s network security. 

Typically, during the sales process, a client will ask their solution provider to fill out an IT questionnaire prepared by the client’s InfoSec, legal, compliance, or engineering team. In these instances, having a SOC 2 report can greatly expedite the process of providing answers to this questionnaire, while also instilling confidence in the client that there is a mature information security program in place that will protect their business’s data, privacy, and reputation.

As the demand for cloud-based solutions increases, SOC 2 certification will continue to be seen as the industry standard that distinguishes an IT solution provider from other competitors. In the following sections, we will explore the road to attaining a SOC 2 certification.

Scoping SOC 2 Requirements

SOC 2 audits evaluate an organization’s system and organization controls based on the Trust Services Criteria, developed by the Assurance Services Executive Committee (ASEC) of the AICPA in 2017. These criteria are classified into the following five categories: 

  1. Security
  2. Confidentiality
  3. Availability
  4. Processing integrity
  5. Privacy 

Of the five Trust Services categories, Security is the baseline criteria that comes directly from the COSO framework, and which is applicable to any industry. Supplemental criteria categories may be selected for a SOC 2 engagement based on applicability to your industry and the services your organization provides (view the entire Trust Services Criteria and related points of focus at AICPA).

Evaluating SOC 2 Security Controls

Security refers to the protection of: 

  1. Information during its collection, creation, use, processing, transmission and storage. 
  2. Systems that store, process, or transmit data relevant to the services provided by the organization.

The following are the Security Common Criteria and their corresponding COSO principles.

CC1: Control environment (COSO Principles 1-5)

Covers the service organization’s commitment to integrity and ethical values, independence by the board, management and board oversight, and the hiring, maintaining, and ongoing monitoring of quality employees at the service organization.

CC2: Communication and information (COSO Principles 13-15)

Includes the communication of relevant information to internal personnel, as well as clients of the service organization.

CC3: Risk assessment (COSO Principles 6-9)

Meant to demonstrate that the service organization is assessing risks possibly impacting their operations and putting plans in place to mitigate these risks.

CC4: Monitoring of controls (COSO Principles 16-17)

Covers the ongoing evaluation of the system at the service organization and the notification to relevant personnel in the event that there is a breakdown in the system.

CC5: Control activities (COSO Principles 10-12)

Tests that the service organization has controls in place for the mitigation of risk, and also that the controls in place are monitored on an ongoing basis.

Defining SOC 2 Controls to Meet Trust Services Criteria

Some verbiage in AICPA’s Trust Services Criteria may be confusing when defining controls for SOC 2. Some commonly confusing definitions are broken down below: 

“Minimal impact to workflow”

Meaning: Having to divert from the normal process to complete a control.

“Up-Front vs. Back-End”

Meaning of Back-End: “I’ll generate the evidence after the work is done.”

“No busy work”

Meaning of Busy Work: Adding extra steps to achieve more evidence.

“Automatable to generate/provide”

Meaning: A system-generated report of user access rights.

“Empowers team members”

Meaning: Team members can perform their job while meeting a control requirement in the process.

SOC 2 Compliance Checklist: 4 Steps for Preparing for An Audit

Step 1: Scoping

In addition to the Trust Services Criteria, other scoping considerations are your system in-scope (application or service, people, locations or entities, technology) and your timeline for having a SOC 2 report readily available. If applicable to your business, other security frameworks (pertaining to your industry and regulatory requirements) may be added to your SOC 2 compliance program. Some of these frameworks include: HITRUST, HIPAA, ISO 27001, NIST CSF, and COBIT.

Step 2: Perform a Self-Assessment

A typical SOC 2 readiness project includes the following activities that are carried out across several months. A part-time coordinator or contractor may be sufficient rather than hiring an audit firm to perform the readiness assessment, especially if leveraging an effective GRC platform.

SOC 2 Readiness project example

Step 3: Close Gaps

Any findings from your self-assessment will result in the control gaps that will need to be refined and closed prior to the actual SOC 2 audit. The gap remediation process will generally entail: 

  • Develop missing policies and procedures 
  • Modification to process workflows
  • Critical Security Controls 
  • Implementation of security controls

Step 4: Perform Readiness Assessment/Audit 

Following the gap remediation process, a final readiness assessment should be conducted, where security controls are re-assessed and controls are tested and verified to be working as intended. This is also an opportunity to identify any effectiveness issues and to perform final remediation.

Best Practices for a Successful SOC 2 Audit

SOC 2 certification occurs on an annual basis, as reports typically cover a 12 month period. Thus, creating a sustainable foundation for your compliance program is key to maintaining your SOC 2 certification in the long-term. Whether your organization’s SOC 2 efforts reside with your IT Audit, InfoSec, Risk Management, or Compliance function, developing a compliance program requires support across the business. Below are best practices for preparing for your SOC 2 audit: 

  • Assign a leader to drive SOC 2 readiness initiatives in the organization. 
  • Involve stakeholders, including executive management and other leaders in the business.
  • Understand your weaknesses and risks.
  • Leverage a GRC platform to drive workflows and take control of the audit.

Leveraging a GRC Solution to Streamline SOC 2 Certification

As mentioned previously, you can save resource hours and costs when performing a SOC 2 assessment by employing a cloud-based GRC platform. Moreover, managing your compliance program in a solution that fits your organization’s needs can be a cost-effective and efficient way to streamline your path to certification, while simultaneously reducing the challenges and risks of managing SOC 2 using spreadsheets, email, and shared drives. A purpose-built GRC solution can enable you to: 

  • Easily scope your SOC 2 requirements. 
  • Centralize your SOC 2 compliance data in an environment that serves as the single source of truth and allows you to see across all your controls and know which requirements they map to.
  • Help you efficiently prepare for your SOC 2 audit while serving as an evidence repository and a history log of your compliance activities. 
  • Bring all stakeholders (Management, IT, DevOps/Engineering, Legal/HR, Physical Security) together in one place to collaborate and communicate during the SOC 2 assessment process.
  • Efficiently perform assessments and facilitate formal audit preparedness through automated readiness assessment surveys.
  • Streamline issue remediation and close gaps with automated workflows and notifications to issue stakeholders. 
  • Drive the actual certification process by enabling third-party auditors to work in a centralized platform containing all relevant data.
  • Save significant resource hours and costs.

In addition to these efficiencies, managing your SOC 2 program in a GRC enables your business to easily update requirements and adopt additional compliance frameworks, without losing centralization or impacting existing testing schedules. As your compliance program grows and matures, a GRC empowers your business to streamline its compliance activities across multiple frameworks to reduce repetitive administrative tasks. Ultimately, proper preparation for obtaining your SOC 2 certification is critical, and your compliance environment is the key to your success. To learn how AuditBoard’s integrated compliance management solution can help you prepare for your SOC 2 certification and streamline your compliance program, contact us for a personalized product walk-through today.

Tony Luciani

Tony Luciani is a Senior Manager of Product Solutions at AuditBoard. Prior to AuditBoard, Tony served as IT Risk and Compliance Manager at Sony Pictures. As a former InfoSec consultant, PCI QSA, and CCSFP Assessor, his experience ranges from performing gap/attestation assessments (i.e. NIST, ISO, CIS, SOC2, PCI, HITRUST, etc.) to facilitating IT risk management programs for customers across multiple industries.

You Might Like

Learn how AuditBoard's integrated suite of easy-to-use software (audit management software, SOX compliance software, risk management software, audit workflow software, and compliance management software) can empower your team.