SOC 2 Type 2 Audits: What to Expect and How to Prepare

Key Takeaways

• Know the Process: The SOC 2 audit includes a readiness assessment, defining scope and controls, collecting evidence, fieldwork, and final reporting. Choose an audit firm that fits your needs.
• Prepare Strong Documentation: Maintain updated policies, provide full data sets, and ensure all evidence is clear, complete, and time-stamped.
• Stay Responsive and Communicative: Respond quickly to auditor requests and keep communication open to ensure a smooth, successful audit.

A SOC 2 audit can be daunting if you have never been through the process before. There are a lot of factors and time that go into completing the audit, but it will all be worth the time and effort to be SOC 2 compliant. Having a SOC 2 report is great way for a company to express they have the necessary controls in place to protect customer data and be prepared for any cybersecurity threats that may come their way. Although not meant for marketing purposes, it does go a long way with potential customers. In this article we will discuss the audit stages, documentation requirements, and strategies for a successful audit. All of which will hopefully ease the minds of anyone who might need to go through a SOC 2 audit soon.

SOC 2 Audit Stages

First, let’s discuss the stages of the audit. If a company is looking to obtain a SOC 2 Type 2 audit, they should research and interview auditing firms to find a good fit. Factors to consider during this phase are obviously pricing (the saying is mostly true – you get what you pay for), but also whether the firm can meet the company’s timeline, whether they have experienced professionals, and if the overall alignment of the firm’s culture.

Once a firm is selected to complete the SOC 2 audit, the firm will have the company sign an Engagement Letter, which allows them to start performing work for the company. A preassessment or readiness assessment is usually the first step for an organization to become ready for a SOC 2 audit. Next, the company and the firm will work together to come up with a scope for the audit and a list of controls. This process will require a lot of back and forth with the firm. The company will need to look through their documents and processes to make sure that evidence is maintained for any identified controls. A narrative/description, identification of subservice organizations, identification of complimentary subservice organization controls, and complementary user entity controls are usually prepared in this step, as well. One of the final steps in a pre-assessment will be examining the client’s evidence to make sure there are no surprises for the client or the firm during the actual audit. A period for the audit is then selected.

Usually, the firm will have the company sign another Engagement Letter for the SOC 2 Type 2 audit, which allows them to start performing the SOC 2 audit for the company. After the Engagement Letter is signed, a planning meeting is set up for the company, and the firm will review the scope of the audit, develop a plan for the audit, and introduce the company and firm teams that will be working together to complete the audit. The next stage is fieldwork, which is when the company gathers all evidence needed to complete the audit, and test work is performed. After all of the evidence is collected and tested, the firm will issue a draft report to the company for review. The company reviews the draft and any changes are made. At that point a final report is ready to be issued. Although sometimes the steps in this process may vary slightly, overall, these are the typical stages of a SOC 2 audit.

Documentation Requirements

There are certain documentation requirements for the SOC 2 audit. These requirements come into play in the fieldwork stage of the audit when evidence for controls is collected. One major area that the firm will ask for is any policies around certain controls. It is a good rule of thumb to update policies annually and include a revision history log to note what updates were made and when the policies were reviewed and approved. When collecting evidence for the fieldwork stage, the firm may ask to observe systems and reports. Alternatively, the company is able to take screenshots of their systems to provide to the firm. If this is done, it is important to include the time and date stamp bar in the screenshot. This helps assure the firm that the evidence was captured during the period and that the support is current.

Additionally, when providing evidence, it is a best practice to read through the controls sentence by sentence and make sure evidence is being provided for all aspects of the control. Another routine request from the firm is complete populations of new hires, terminations, helpdesk tickets, incident tickets, change tickets, etc. It will be helpful to the firm if the company provides them with parameters entered to pull any reports; then the auditor will know they have a complete population to choose their sample from to test. During the fieldwork stage of the audit, there is a lot of information that needs to be gathered in a short time. Following these documentation suggestions will assist the company and the firm in a smoother time getting through any evidence.

Successful Audit Strategies

Lastly, everyone wants to know the keys to a successful audit. The first key aspect to a successful audit is to be on top of support that needs to be gathered and provided to the firm. The quicker the support is provided, the quicker the auditor can get through those items and provide any feedback needed. The next key aspect is to be timely with any requests the firm has. This will help keep the audit moving and potentially get the company a report quicker. Lastly, the company shouldn’t be afraid to reach out to the firm with any general questions, any questions on the best evidence to provide, and/or how to better their evidence. The auditors are here to help the company and offer any suggestions on how to strengthen controls and the SOC report. Overall, staying in contact with the firm and providing them with timely evidence is key to successful audit.

Hopefully, this discussion of audit stages, documentation requirements, and strategies for a successful audit has made the SOC audit process a little less daunting. Having knowledge of the audit stages, what evidence to provide, and how to successfully complete the audit will help companies be more prepared for a SOC 2 audit.

If your entity is interested in obtaining any additional information on SOC reports, or if there are any other questions related to SOC, please contact us. For more information on these services and more, be sure to visit our firm’s SOC & Cybersecurity industry page, and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA, CCSFP, CHQP, CCA regarding our services.

About the Author

Related Services