Skip to content

Insights

What Should Service Organizations Expect Throughout a SOC 2 Journey that Ends with an Audit?

When embarking on a SOC 2 journey, several things must be performed to help lead to a successful audit/examination. This article outlines these various steps at a high level.

The first step in the SOC 2 journey is often called a readiness assessment or preassessment, which usually takes 3 months to complete. This can be done quicker or could take longer based on the availability of resources at the organization pursuing the SOC 2 report. SOC 2 audits follow the Trust Services Criteria created by the American Institute of Certified Public Accountants (AICPA), which outlines the requirements to be SOC 2 compliant. Organizations will engage with a CPA firm to help guide them through this process.

Selecting a Scope, as well as which SOC 2 principles apply, are done first. Most organizations know which principles are needed for their first SOC 2 audit before the preassessment commences. Either they choose based on their contractual obligations or they usually choose to start with the security principle alone. Depending on the type of organization, several principles can be selected. These principles are security, availability, processing integrity, confidentiality, or privacy. Security is the largest and most required principle for SOC 2, but the other four principles are optional depending on the type of organization.

For example, if an organization hosts data for customers, availability may be an excellent principle to include. If they host sensitive data, confidentiality or privacy can be included. The other option is processing integrity, which can involve the organization processing user data. The longest part of the preassessment is the next step, which is to identify current controls as they map to the Trust Service Criteria any control gaps. These gaps are then filled by implementing new controls at the organization or formalizing current controls that aren’t documented. We have found many organizations have good controls in place, but they need to be formalized so that evidence is available and they can be tested.

During the previous step, one will come across subservice organizations that need to be called out in the SOC 2 report. Subservice organizations are vendors that are vital for an organization’s identified controls to operate effectively. Examples of subservice organizations may be data centers (such as AWS or Azure) or a managed service provider. Controls that apply to a subservice organization must be identified and documented; these controls are known as complementary subservice organization controls (CSOC). User entity (client most likely) controls vital for one’s identified controls to operate effectively are also documented and are known as complementary user entity controls (CUEC).

In the final step of the preassessment, a SOC 2 auditor will request evidence to ensure specific controls are implemented and functioning. Ensuring the gaps identified in the preassessment step can help the auditor validate that these controls are operating and in place. This can help identify any remaining gaps and help the auditor familiarize themselves with the evidence before the audit. An auditor wants to make sure an organization’s controls if operating like they are during the final evidence gathering of the preassessment, have no exceptions during the audit. Both the SOC 2 applicant and the SOC 2 auditor are then on the same page with the required evidence of the identified controls.

In summary, there are various steps to become SOC 2 compliant. This can include communication, collaboration, and transparency with the independent auditors. By actively participating in the SOC 2 process, organizations can demonstrate their commitment to security, compliance, and the safeguarding of customer data.

For more information, be sure to visit our System and Organization Controls (SOC) service page and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA with further questions regarding SOC 2 reports and our services.

About the Author

Chris Fieger

Chris joined McKonly & Asbury in 2019 and is currently a Manager with the firm. He is a member of the firm’s System and Organization Controls (SOC) & Technology consulting practice, performing SOC 1, SOC 2, and SOC 3 engagements, as… Read more

Related Services

Subscribe to Our Newsletter