SOC 2 FAQs: A Webinar Recap
by Tori Thurmond / May 9th, 2023
SOC 2 is one of our most popular audits here at KirkpatrickPrice. We know that many of our clients need and want to fulfil SOC 2 requirements to prove their commitment to compliance and satisfy client requests. That’s why we partnered with Lightspin, a cloud security platform, to tackle some SOC 2 FAQs in our latest webinar, SOC 2 in the Cloud for SaaS Companies.
During the webinar, our President and Founder, Joseph Kirkpatrick, spoke with the Director of Technical Solutions at Lightspin, Michael Silva, to break down SOC 2 questions that were on the minds of webinar attendees.
Note: These answers were compiled from Joseph’s answers and have been summarized for readability. The answers below are not direct quotes.
Q: What is SOC 2?
A: A SOC 2 audit is an independent examination of an organization’s internal controls, policies, and procedures to ensure that they are doing everything they can to protect customer data. During a SOC 2 audit, your auditor will evaluate your controls according to the Trust Services Criteria to make sure you have proper controls in place and that they are functioning properly. A SOC 2 audit tests and confirms your compliance efforts.
Q: What’s the difference between a SOC 2 Type I and a SOC 2 Type II audit?
A: A SOC 2 Type I audit focuses on a specific point in time where the auditor can look at the organization’s controls and give an opinion on whether or not the controls in place were suitable at that point in time.
A SOC 2 Type II audit includes testing of controls and looks back at the audit history across a period of time, usually 6 months or a year.
Q: What are some common misconceptions surrounding SOC 2 audits?
A:
- You’ll receive a certification when you complete a SOC 2 audit.
The result of completing a SOC 2 audit is an attestation from your auditor. You’ll receive an independent opinion that you have the correct controls in place to properly secure the data your organization possesses in the form of a SOC 2 audit report, not a certification.
This report is important to share with your clients because it includes your controls and how they were tested. Your clients need access to your report so they can set up their own controls accordingly.
- A SOC 2 audit report is only a claim that you do what you say you’re doing.
Because SOC 2 audits are performed by an independent, third-party auditor, the auditor has the ability to dispute any claims that the organization makes if the auditor does not find suitable evidence to back up those claims. The auditor is there to confirm that your controls are well designed, relevant, and operating effectively; however, if your controls are not working properly, that will be reflected in their opinion.
Q: Why is a SOC 2 audit needed?
A: SOC 2 compliance is important to the customer of a service organization. Virtually every business outsources one aspect of their business or another. Outsourcing certain tasks can save time and money, but organizations need to make sure that whoever they are going into business with is trustworthy and manages data securely. Many of the big-name breaches that have occurred recently are due to the improper management of data by vendors. Just as you would want evidence that any vendors you work with are managing your organization’s data the way that they claim they do, your customers want the same reassurance .
Q: What’s the goal of implementing internal controls?
A: Not only do internal controls help ensure that you’re doing everything you can to keep your organization’s sensitive data safe but they also help build an environment where compliance is embraced within your organization. Security is a mindset that should be adopted by your entire organization. Once all members understand the internal controls you have in place and how important they are to uphold, you’ll be able to create a security culture you can be proud of, making your audit process less intimidating.
Q: What population of controls should your auditor look at for SOC 2 compliance?
A: Auditors are looking to achieve reasonable assurance that your controls are suitably designed and operating effectively. Your auditor will evaluate that the controls you have in place meet the criteria set by the AICPA. These criteria and points of focus are from the COSO framework. The criteria was designed for flexibility and use in a variety of different subject matters, which is why auditors seek reasonable assurance and not perfection.
Additionally, it’s impractical to test 100% of every control within your organization. It’s your auditor’s job to sample your environment in an effort to achieve the greatest level of reasonable assurance. For example, if your auditor is testing to see if users are following your multi-factor authentication (MFA) requirements, they would test between 10% – 30% of your employees to see if that sample is following the MFA guidelines. If those employees are following your organization’s MFA requirements, your auditor would be able to provide a favorable opinion regarding your organization’s MFA controls.
Even if your auditor had the capacity to test that every single user was adhering to all of your organization’s controls, there would still the possibility for human and technological error. Make sure you’re choosing an experienced auditor who understands what samples are needed from your various controls so you can feel confident that those controls are functioning as they should be.
Q: What is the bare minimum timeline your SOC 2 can cover?
A: There’s no prescriptive guidance on the timeline your SOC 2 audit needs to cover. At KirkpatrickPrice, we’ve seen organizations that have had specific requests for time periods as short as 3 months. However, the most common timeline requested is between 6-12 months.
Q: Why is scope so important for a SOC 2 audit?
A: Scope is important for a SOC 2 audit because it determines what services and controls are included in the audit and what are not. It’s important for you and your auditor to have a good understanding of what should be included in the scope of your audit to make sure you’re addressing any vulnerabilities that may go unnoticed if certain controls aren’t included.
Q: What’s the internal benefit of a SOC 2 audit?
A: Whenever your organization is ready to undergo a SOC 2 audit, a level of maturity is indicated. Undergoing an audit is a beneficial process for the whole organization because it allows you to see what you are already doing right and where you can improve. Not only does the audit process serve as a learning opportunity and an accountability check but it also allows you to be proud of the work you are doing to reach your compliance goals and encourages improvements from year to year.
We’ve often worked with clients at KirkpatrickPrice whose auditor identified vulnerabilities one year, but when the auditor returns the following year, the employee(s) responsible for that past finding have a sense of pride and responsibility for the work they have completed to remediate past findings.
Compliance is an ongoing journey. Make sure you choose an auditor you can trust, so you can work together to better achieve your security goals.
Q: When do you need a SOC 2 audit?
A: Every organization’s SOC 2 timeline is different. We’ve seen SOC 2 audits completed at many different stages in an organization’s journey. Most commonly, an organization will start a SOC 2 audit when they are asked by a client or are ready to take the next step and elevate themselves on the market.
Regardless of when you feel ready to actually start your audit, it’s a good practice to begin preparing now. Start by having your policies or risk assessment reviewed or just by looking into compliance resources that will help you get ready for whenever you decide to being your audit.
Q: Once you’ve identified the need for a SOC 2 audit, how do you find the right auditor?
A: Cybersecurity compliance is an ever evolving and increasingly relevant industry, so there are many options when it comes to finding an auditor. SOC 2 audits must be performed by a CPA firm, so make sure to include that in your list of qualifications to consider when looking for the auditing firm that’s right for your organization. CPA firms have a board that oversees that they are upholding certain educational and ethical requirements that other firms are not held to. By hiring a CPA firm to conduct your audit, you are guaranteed a level of quality that you would not otherwise have.
In addition to making sure your auditor is qualified to perform your audit, make sure their capabilities align with your tech stack. For example, if your organization utilizes the cloud to store a majority of your data, you need to make sure that your auditor has experience and knowledge involving the cloud. You don’t want to have to teach your auditor about the technology your organization uses during your audit.
Interview your auditor. Make sure you’re choosing a firm that aligns with your compliance goals.
Q: Do any new roles, such as a CISO, need to be added before starting your audit?
A: Again, all organizations are different and have different compliance needs when looking to undergo an audit. The most important thing about starting an audit is making sure the necessary members of your organization are ready to commit to the audit. Engagement and willingness are two of the most important aspects of a successful audit.
At KirkpatrickPrice, we’ve worked with organizations who had large IT and security programs that were not ready for the commitment of an audit and, therefore, did not have the most successful audit engagement they could have. We also have smaller clients who are fully committed to the auditing process. They are the clients whose decision makers and department leaders are committed from the beginning and are willing to do what is needed to provide information to their auditor and identify and remediate any issues that the auditor may identify.
Q: What advice do you have for organizations that are considering a fully-automated audit?
A: What happens a lot of the time when organizations want a quick, automated audit is that they only what to focus on the controls that can be fully automated. However, these types of audits don’t have the ability to dive into the processes, procedures, or continuous development practices that organizations should be implementing. You and your clients deserve a more detailed audit that will prove your commitment to security and compliance.
Q: What do you do after you complete your first SOC 2 audit?
A: Compliance should be a continuous business strategy whether you’re actively going through an audit or not. Ways to continue your compliance efforts throughout the year are:
- Risk management
- Noting any configuration or policy changes that occur
- Maintaining a good relationship with your auditor
Partner with an Expert Who Cares
Here at KirkpatrickPrice, we understand that SOC 2 compliance can be intimidating whether you’ve gone through many audits before or if you’re getting ready for your first one. We want to partner with you from audit readiness to final report and help you achieve your compliance goals.
If you still have questions about SOC 2 or are ready to start your audit, connect with one of our experts today.
Prepare to successfully start and complete your SOC 2 audit by downloading the SOC 2 Compliance Checklist!
SOC 2 Compliance Checklist
You know you need a SOC 2 audit, but don’t know what to expect or how to get started. This guide will prepare you for what your auditors are looking for and how to confidently begin your SOC 2 compliance journey.
