Getting ready for a SOC 2 Audit

Getting started with SOC 2:

So, you have heard about SOC 2, maybe some of your clients are asking if you perform a SOC 2 or you want to strengthen your security program by getting an external audit. 

SOC 2 is the standard for auditing your IT and security environment.  In addition, it provides evidence for that client that requires a third-party assessment and also gives management assurance your company is performing controls that enforce IT and security to your organization. 

To start, let’s explain what is a SOC 2.

SOC 2:

SOC 2 was developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.  The SOC 2 report is essentially and audit of the controls you have stated that you follow.  These controls are defined in your IT and security policies and executed by your organization.  As an example, you might have a policy stating you perform access reviews quarterly, well the SOC 2 and the external auditor will test that control to ensure it’s being performed and report on that control in the finalized SOC 2 report.

There are two types of SOC 2 reports:

• SOC 2 – Type 1:
  • This type is a review of your controls and relevant data to ensure those controls are in place in the environment.  For example, if you state that you have IT and security policies in place, the auditor may ask for those IT and security policies to ensure they exist.  Type 1 describes the systems you have in place and if the design of your controls is suitable to meet your selected trust principles.  More about trust principles below.
• SOC 2 – Type 2:
  • This type is the Type 1 + the actual of testing of all the controls.  What this means for all the controls, evidence will need to be provided that the control was executed (completed) during the time frame of the audit. Type 2 is a test of operational effectiveness of all the controls that you have stated you follow.

Timeframe of SOC 2 reports:

• Generally, the audit period of a SOC 2 will be 6 months or 12 months.  Depending on your audit period, your auditors will be auditing the controls during the audit timeframe.  For example, if you selected 12 months, your auditors will be reviewing the previous 12 months and do control testing.  So, either 6 or 12 months, your auditors will be visiting and testing controls (depending on Type 1 or 2).  There are times where a higher frequency may be required based on client needs, but those are normally special use cases.

 Trust principles:

• Trust principles you select will shape the required controls for the SOC 2.  Security is the most common trust principle, however, depending on your customer requirements, other trust principles maybe appropriate for your SOC 2.  The five trust principles are highlighted below:

• Security:
  • The security principle refers to protection of system resources against unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of software, and improper alteration or disclosure of information.
  • IT security tools such as network and web application firewalls (WAFs), two factor authentication, intrusion detection, encryption, and other controls that enforce your company’s security profile.

• Availability:
  • The availability principle refers to the accessibility of the system, products or services as stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable performance level for system availability is set by both parties.  For example, if you had a specific customer that had certain contractual requirements, these would be tested in the availability section.
  • This principle does not address system functionality and usability, but does involve security-related criteria that may affect availability. Monitoring network performance and availability, site failover and security incident handling are critical in this context.

• Processing integrity:
  • The processing integrity principle addresses whether or not a system achieves its purpose (i.e., delivers the right data at the right price at the right time). Accordingly, data processing must be complete, valid, accurate, timely and authorized.  For example, there may be controls related to ensuring data is processing correctly and how those data processing results are verified.
  • However, processing integrity does not necessarily imply data integrity. If data contains errors prior to being input into the system, detecting them is not usually the responsibility of the processing entity. Monitoring of data processing, coupled with quality assurance procedures, can help ensure processing integrity.

• Confidentiality:
  • Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organizations. Examples may include data intended only for company personnel, as well as business plans, intellectual property, internal price lists and other types of sensitive financial information.

• Privacy:
  • The privacy principle addresses the system’s collection, use, retention, disclosure and disposal of personal information in conformity with an organization’s privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles (GAPP).  For example, if you are processing a client’s sensitive data and that core function is a major part of your business, additional privacy controls maybe required.

• Personal identifiable information (PII) refers to details that can distinguish an individual (e.g., name, address, Social Security number). Some personal data related to health, race, sexuality and religion is also considered sensitive and generally requires an extra level of protection. Controls must be put in place to protect all PII from unauthorized access.

• What’s next:
  • Now that we have reviewed the basics of a SOC 2, what do you do now?  Having firm grasp of the SOC 2 report, highlighted above, will help educate when moving down the SOC 2 path.
  • Type 1 vs Type 2 what is right for your company:
    • With starting out with SOC 2, Type 1 is the most common step into the SOC 2 requirements.  Type 1 will determine which controls you need to have in your SOC 2 report and should give you ample time to ensure those controls are in place in the organization.  
    • When having completed a SOC 2 Type 1, it’s easier for organizations to rotate to a SOC 2 Type 2, documenting, executing, and recording the controls have been completed. 
    • Some organizations jump to a SOC 2 Type 2 immediately and are often left with a non-compliant report.
  • What trust principles should I choose:
    • This often depends on your clients, however, in general most SOC 2 requirements will be fulfilled by the Security principle.  Other trust principles can be layered on as needed in additional reports and sometimes have coverage from the Security trust principle.
  • How to I prepare for a SOC 2:
    • The first major step is having implemented IT and security governance framework.  This is the foundation of having policy, processes, and controls documented which should be implemented in the organization and ultimately tested in the SOC 2. 
    • IT and security policy -> processes/procedures -> controls execution/monitoring
    • With the assumption that an IT and security policy is in place or being implemented, the next step is to make sure the things you say in your policy and processes are in place.  For example, a policy document says you encrypted all your endpoints or do quarterly access reviews.  These items should be reviewed and implemented/adjusted as required.
  • Steps to a SOC 2 audit:
    • Unless there is an established SOC 2 program in place, here are the general engagement types for a SOC 2.
      • SOC 2 readiness – This is an assessment by the auditor to create the SOC 2 controls and to ultimately do a pre-audit prior to the official SOC 2 assessment.
        • During this phase, controls will be created and gaps will be determined when reviewing the SOC 2 controls.
        • This is an important step to spend an ample amount of time to ensure your companies controls are in place and functioning.  Often the readiness performed will uncover gaps in the required controls.  IT/Security teams and management should be collaborating to ensure there is awareness by all teams on what needs to be implemented so your company meets the control requirements.
      • SOC 2 audit – Depending on the Type 1 or Type 2, this will be a walkthrough of the systems design, controls, evidence gathering, and testing (Type 2 only).  For both Type 1 and Type 2, this is when a majority of the work will be executed for the SOC 2 audit.
      • Burn in time period – This is where the controls will need to be in place for the period you selected for your SOC 2.  For example, if you have a 6 month audit period, the controls will need to be in place and functioning for at least 6 months.
    • SOC 2 results – Here are the potential results of the auditor’s opinion:
      • Unqualified: The company passed its audit.
      • Qualified: The company passed, but some areas require attention.
      • Adverse: The company failed its audit.
      • Disclaimer of Opinion: The auditor doesn’t have enough information to make a fair conclusion.
      • Generally, having good collaboration with the auditor and spending time remediating items from the SOC 2 readiness will hopefully avoid the last two bullets under the SOC 2 results.
  • Going forward after the SOC 2:
    • Completing a SOC 2 audit is a major accomplishment!  Now, your company has to track, updated, and execute controls going forward.  The main reasons for failing SOC 2 controls are that something wasn’t done, an access review was missed, no one was reviewing firewall controls, the endpoints weren’t checked to ensure they were all encrypted, etc.  This is where proper tracking and attestation becomes critical in maintaining that all required controls are completed in a timely manner and that any evidence required is gathered and documented for the next audit. 

SOC 2 programs are a major investment and need constant maintenance to ensure they are operating effectively and that audits can be completed without issue.  It’s important to note that these controls span the entire operations of your company, so having the resources, management involvement, and effective management of the controls will be key in maintaining a successful SOC 2.