If your business is planning to get a SOC 2 audit in the future, it can look like a lot of work and time to get audit-ready. But when you break down the timeline to achieving SOC 2 certification, it’s easier to see the stages that you’ll need to work through. And then understand where you save time and effort, make sure you go into your SOC 2 audit with confidence, and come out with a great report at the end.
SOC 2 is an auditing procedure that looks at how companies protect consumer data — reviewing the processes, procedures, and policies a company follows. The purpose of a SOC 2 audit is to evaluate an organization’s internal controls for information security and privacy. Many SaaS companies get SOC 2 audits to demonstrate they’re a trustworthy vendor for enterprise companies. For companies who want to use a SOC 2 report like this to help them win bigger deals, it’s all about ROI.
If you’re researching SOC 2 for your business, we covered the top 10 questions about SOC 2 in a previous post. There we tackled the difference between SOC 1 and 2, the price range you can expect to hear from auditors, and some basics about SOC 2 compliance and audits. Here we’ll walk you through the timeline – how to get started planning for SOC 2, preparing your security program to align with the SOC 2 framework, going through up to 12 months of being audited, and then finally, what to do with the SOC 2 report when you get it.
SOC 2 reports are among the most common compliance requirements for technology-focused companies and service organizations that store customer data in the cloud. Assuming you’ve determined that you need a SOC 2 audit, I talked with cybersecurity pro and our Senior Director of Product Justin Gratto. Here’s what he says happens next.
This is a big step. Before you do anything, you need to know: what will your audit cover? This is when you define your system description for the auditor and determine the audit scope. Planning for SOC 2 is a critical step you can’t overlook. Your planning here will influence the controls, policies, and procedures that you need to prepare ahead of the SOC 2 audit (the next stage we’ll look at). These two components, the system description, and audit scope, will later be included at the beginning of your final SOC 2 audit report. They’ll also influence the cost of your SOC 2 preparation and auditor fees.
For the system description, you’ll need to tell the auditor what to review and explain what your system is designed to do. It’s an overview of your operations, product offerings, any tiers of your product offering, what it is, exclusions, and more. Should the auditor review just one application? Or do you have multiple products?
You need to write up this system description for the auditor. It could amount to a couple of paragraphs or over ten pages. It depends on your business and the complexity of your services, but you can expect to have at least one paragraph per product (think about it like unique SKUs).
Let’s say your business has a bookkeeping application — a free trial and two paid versions (a basic version and a deluxe version). In this bookkeeping example, you’ll need a minimum of 3 paragraphs (or more) to describe your system. If you have a SKU with an API and one without the API, then you would also need to make sure you explain that API system, what it does, and where it is included.
This planning stage will also be when you define your regulatory requirements, contractual commitments, and what Trust Services Criteria apply to your business. Do you have clients located in the European Union, which means GDPR requirements apply? Do you sell software to the healthcare industry with legal obligations of the Securicy and Privacy rules under HIPAA? A SOC 2 audit can help prove compliance to clients or prospects who need to verify your security compliance.
You’ll want to determine the Trust Services Criteria that the auditor should use in the assessment. Security is the one Trust Service category that is always included and is also called the Common Criteria. (You’ll see this coded as CC in Securicy’s security controls.) The other four criteria are optional: Availability, Confidentiality, Privacy, or Processing Integrity. You can select which — if any — of these additional Trust Services Criteria that you and your clients need to be assessed in this audit. You can learn more about why SOC 2’s Trust Services Criteria is essential when defining your audit scope in our blog.
After you’ve defined your systems and your audit scope, you begin “doing” the preparation.
The majority of your preparation will be ensuring that you are ready to produce whatever documentation the auditor requests as soon as the audit begins. The auditor will start out by requesting a list of items called “Common Population.” This is a gigantic pile of documentation and data, which they will then comb through during the audit.
Companies can use Securicy to customize and generate the bulk of this documentation, manage implementation, and report on SOC 2 readiness. We’re on a mission to make SOC 2 preparation as painless as possible — book a demo to see how Securicy works.
Once you’re confident that you have the correct security controls in place, you’ll need to research and evaluate third-party auditors to engage for your audit. Many companies begin by looking for an auditor in their price range (the cost of SOC 2 audits range, typically starting at $20-40,000, with the fees depending on your system descriptions, scope, and the CPA firm you select). You want a CPA firm with a good reputation who is qualified to complete a certified SOC 2 audit. Not all CPAs can do SOC 2 audits! As you’re comparing CPA firms, you can request an anonymized SOC 2 report to get an example of their work.
At this point, you’re ready to schedule and conduct the audit. You may be able to request a pre-audit readiness assessment, which can help you identify trouble spots in advance. Your auditor will also provide additional information and details, which will help set your expectations on the audit timeline and how they will conduct the audit. If you’re doing a SOC 2 Type 1 audit, a point-in-time audit to determine the effectiveness of your security program’s design, the audit stage won’t take as long. However, a SOC 2 Type 2 audit will review the actual effectiveness of your security program over an extended period of time. A Type 2 audit will audit your policies, procedures, and security operations for 6 to 12 months.
Ahead of this stage, you’ll need to determine how you will securely share documentation and records with the auditor when they request them. If you are using Securicy, you can invite your auditor to review your content about your security controls using Audit Connect. It’s secure, fast, and helps you simplify the process to get through your audit. With a lot less hassle.
Finally! You got the SOC 2 report! Once you have the results, you can start sharing it with clients and sales prospects that requested a copy of your SOC 2 report. Since the report contains sensitive information about your security program, you should never make it publicly available to download. It’s a best practice to require the requester to sign an NDA before sending over a SOC 2 report. Some companies will watermark reports with the requester’s name or email to ensure the person receiving it does not share or post it online.
If you were well prepared, your SOC 2 report might be spotless. But you’ll want to look carefully for insufficient areas that you need to remediate. Did they find not all of your employees have completed the mandatory awareness training required by your policies? Discovered poor asset inventory management? For any noted issues, you’ll want to prepare in case questions come up and you need to demonstrate corrective action.
Keep in mind that after you have your audit results — you can’t let employees drop the ball on following security policies and procedures. Companies need to maintain ongoing security compliance. Companies may opt to renew their SOC 2 certification and get an annual SOC 2 report to prove continuous compliance, a practice recommended by auditors. Technically, SOC reports don’t expire, but sharing years old reports with prospective buyers may not instill confidence in your security posture. Security procedures require ongoing action, monitoring, or an annual activity (such as a penetration test). Depending on how old your SOC 2 report is and your buyer’s data security requirements, you may need to answer additional security questions or show more recent reports verifying your current procedures.
We know what a time-consuming ordeal achieving SOC 2 compliance can be — that’s why we have SOC 2 controls, policies, tasks, and planning tools built into the Securicy platform. With a custom-generated security program based on the SOC 2 framework and your unique business operations, you can quickly start checking off items on your SOC 2 to-do list. Talk with us about our mission to make SOC 2 readiness as painless as possible. One easy thing you can do to get started now? Check out our free eBook, How to Get Ready for a SOC 2 Audit.