Welcome to part four of SOC 2 Bootcamp, covering everything involved in the audit process, including understanding your report and how to use it!
Quick bootcamp run down—we borrowed Bluth Company and Associates from Arrested Development. Monica works for Bluth Company and is getting their SaaS product, the Banana Stand, SOC 2 compliant.
In SOC 2 Bootcamp Part 1: Scoping and Auditor Selection, Bluth Company kicked off its SOC 2 journey. Monica has internal buy-in, selected an auditor, defined Trust Service Categories, completed scoping and wrote their Service Organization’s Description of Controls.
The second webinar, SOC 2 Bootcamp Part 2: Policies and Controls, focused on the meat of SOC 2, the policies and controls. We dove into a handful of policies required for SOC 2, what’s involved and the necessary controls to stay compliant.
SOC 2 Bootcamp Part 3: Evidence Collection concentrated on collecting evidence to show compliance with controls and policies. We looked at some evidence collection automatically and other evidence that requires manual intervention.
In this final webinar, we discuss the audit process! When we talked to Ryan Goodbary, Director of Risk, Assurance and Advisory Services at Armanino LLP in Part One, we left off at booking the readiness assessment. This time Patrick Hall, a Partner at Armanino, joins us to share the next steps in the SOC 2 process. We also tackle what to do with that report you worked so hard for and how to tell the world that you’re officially SOC 2 compliant so you can win more deals!
The Readiness Assessment
The readiness assessment sets the tone and the overall scoping for your audit. It’s a two to three hour process where you sit with your auditor and any key stakeholders to walk through the controls identified within the Tugboat Logic scoping assessment.
Auditors review the control language with you to ensure it’s appropriate for your organization and review each individual control. While every firm tackles this slightly differently, a good readiness assessment will allow your organization to understand how much additional work it will take for you to prep and get ready for the upcoming SOC 2 audit.
At the end of that readiness assessment, you’ll have a listing of recommendations and gaps identified during the audit. Now that you’ve assessed how ready you are, the path is laid out to start the SOC 2 audit.
Am I Ready to Start the Audit?
After the readiness assessment, you’re ready to hit the ground running. It’s time to start prepping and getting everything ready for the audit. That may include tasks like drafting policies and procedures, performing reviews of those policies and procedures, penetration testing quarterly and generally ensuring that all your documentation is set up. This needs to be repeatable so you can gather evidence in real-time at the appropriate intervals.
Preparing for a SOC 2 Type 1 Versus a SOC 2 Type 2 Audit
There are some differences between SOC 2 Type 1 and SOC 2 Type 2. Type 1 is a specific point in time, while Type 2 is over a period of time. For a Type 1, it boils down to having documentation and policies. Do you have a documented procedure? Can you show evidence that you’ve done what the documents say you will? For example, have you completed your annual penetration test within the last 12 months or proof you have it scheduled in the future?
The main difference for a Type 2 is that auditors look for samples. They want to see established repeatable processes over a period of time. That’s why Type 2 is more challenging and why it’s the gold standard.
Bluth Company Kickoff for a Type 1 Scenario
The Bluth Company has set June 30 as their kickoff date, and they have a lot to put in place for their SOC 2 audit. So a month before, Armanino will reach out to them to check in and start planning the actual testing.
Bluth Company and Armanino’s team will go over the evidence tasks that are going to be required to fulfill the audit and answer any questions. Then within Tugboat Logic, the audit project for a Type 1 would be set up so you can see all the evidence tasks. Armanino has access to Tugboat Logic, so they can also go in and review any uploaded evidence. At that point, a scheduled time is set to have an auditor on-site during traditional hours or, thanks to COVID, complete everything remotely.
Typically there are three to four weeks of lead time for the SOC 2 audit to make sure there’s enough time to start uploading that evidence into Tugboat Logic. Then it’s smooth sailing for the scheduled testing week because everything’s already in place for the auditor to do their reviews.
Bluth Company Kickoff for a Type 2 Scenario
For a SOC 2 Type 2, it’s a different process. On average, it’s two to three months of remediation leading up to a three to six month observation period. The remediation period depends on a couple of variables, including how prepared your organization is after the readiness assessment and your internal resources. Maybe there are only a few small things to fix or prepare. In that rare situation, you may be ready to kick off your audit in a week or two. But if you have limited internal resources, it could take longer, which is why it’s often a two to three month process. Every organization is unique.
When you give the A-OK to the auditor, they start the clock on a three, six, or 12 month observation period. In this case, Bluth Company has picked June 1 to have everything in place and a three-month observation period the auditor will eventually test. There will be plenty of interviews with various stakeholders like HR. This is an opportunity for the auditor to walk through all the controls the stakeholder is responsible for and make sure that they’re operating as written. Evidence may include a listing of all new hires and terminations during the period.
Continuing with the HR example, auditors will ask to be walked through the new hire process. First, you’ll talk through it, confirming that it mirrors exactly what’s written in your policies and your controls. Then you’ll discuss the evidence. Bluth Company uploaded all evidence into Tugboat Logic so their auditor could review it in real-time. In certain circumstances, auditors are required to test the completeness and accuracy of the information provided, making sure that the data provided hasn’t been manipulated before it’s received.
For instance, the auditor may request you pull up your current password settings and submit a screen grab to compare them to the submitted evidence to prove nothing has been manipulated.
After these interviews, most organizations get a break. The auditors get to work and do the testing over a couple of weeks. They may have follow-up questions as they go through the review process and complete multiple layers of review internally.
When Do I Get My Report?
All auditors and firms have their own processes and timeline, so you’ll need to check to confirm timelines with them when you’re picking your SOC 2 auditor. However, Armaninio, for this example, says about four weeks.
What’s in a SOC 2 Report?
Section 1: Assertion of the Management
The assertion provides the reader with the facts and assertions, or statements, made by the service organization’s management related to the system(s) under audit. This section is produced by your company as the service organization. It’s a summary of your product, services, structure and lightly covers your IT systems, teams and controls.
SOC 2 Section 2: Independent Service Auditor’s Report
The auditor discloses what they tested and how over the stated period and explains the scope.
Kinds of opinions presented by the auditor in this section and what they mean:
- Unqualified—You pass! Gold star!
- Qualified—Room for improvement.
- Adverse—Your system has concerning gaps.
- Disclaimer of Opinion—Incomplete. You didn’t provide the auditor with enough information for them to form an opinion.
SOC 2 Section 3: Description of Your System
This is one of the most comprehensive and detailed sections in the report, written by your company as the service organization. This section is an overview of the company being assessed and builds upon the items mentioned in section one. While the auditor may give you some guidance, it is up to you to write this section. We recommend getting started on this early so it doesn’t delay your report.
SOC 2 Section 4: Applicable Trust Service Categories, Criteria, Related Controls, Tests of Controls and Results of Tests
Section four is a great deal longer than section two but just as exciting because it shows the WHY behind your auditor’s opinion.
This section includes:
- Control objectives related to the applicable trust service categories.
- Controls in place at the service organization to meet the objectives
- Auditor’s tests of the controls and test procedures
- Results of the tests performed by the auditor
SOC 2 Section 5: Other Information Provided by Organization Not Covered by the Service Auditor’s Report
Section five is optional and not tested by your auditor. It provides additional information about your organization’s future plans for new systems or key aspects of your control environment that are not covered by section three. It gives you space for any additional context or information you would like to communicate to your customers.
Learn more about SOC 2 report structure here.
Sharing Your SOC 2 Audit Report
You have your report and it’s yours to share as you wish. That being said, it’s typically recommended you get an NDA from anybody you share it with. But ultimately, that’s management’s decision of who, when and how to share it. Through the AICPA, you can get a SOC 2 seal to put on your website and in your marketing materials if you’d like to showcase your achievement that way. Your SOC 2 report should not be posted openly on your website.
What Happens After Completing SOC 2?
Now that you’ve crossed the finish line and you’ve got your SOC 2 audit report in hand, it’s time to start all over again. The next observation period is going to start right away. If you’ve achieved Type 1, you likely need a Type 2 but pursued Type 1 to keep sales moving. So now you’re on to bigger and better things—well done!
Type 2 reports are typically accepted for 12 months, but you shouldn’t have any gaps between reports. The process keeps going. Moving forward with subsequent audits, the process is identical, except it excludes the readiness assessment. And most companies extend their observation period to 12 months to avoid the cost and time of completing an audit every 3 months.
To learn more, watch the entire SOC 2 Bootcamp Recap Part 4: The Audit video or schedule a walkthrough with Tugboat Logic!