Our customers frequently ask us, "Which controls are most often missed or incomplete during audits, and how will you help us make sure we're ready?" So, we asked our CISO Jose Costa, head of the Tugboat Security Labs Team (the team that helps customers know everything about compliance) and former partner at PwC, to help answer this question. Even if you don't end up working with us as customers, we want you to get the best info possible so that you can be secure and pass all the audits 😎💪
TL;DR from Jose, CISO at Tugboat Logic and former partner at PwC:
"In general, I would say:
#1 is risk assessments because they're very hard because they're never documented, and when they do get documented, it turns out to be very weak documentation. More broadly, anything that has to do with formalization of processes is hard for small companies. #2 are penetration tests because clients tend not to do them right away when they should because it takes a lot of time to schedule them and get them completed. #3 is vendor risk management because it can be tough to audit and keep track of all the vendors and contractors you're working with. #4 is on/offboarding because of the lack of formal processes and checklists in place."
And here are the full explanation and guides to why people fail these four controls over and over again:
Control #1 That's Often Failed: Risk Assessments The Tugboat platform has controls and evidence reminders to keep you on track on the Readiness Dashboard, and we have risk register templates to give you an idea of the risk questions you need to think about and how you plan to mitigate those risks. Jose and his team also published a guide that teaches you how to conduct your own risk assessments and have them be acceptable for your audits.
Control #2 That's Often Failed: Penetration Tests We can't emphasize this enough: start your pentest early in order to get your SOC 2 done on time . You can hire freelance pentesters or work with pentest providers like Cobalt (one of our customers and partners). For example with Cobalt, you can get pentesters quickly because they have a lot of staff always available (thanks to their global network of pentesters). We also highly recommend White Hat Security and NetSpi based on our experiences with them and our vetting of their quality of work, fit, track record, and cost.
Once you get your pentest(s) completed (depending on the number of apps and systems that need to be tested), you can store your pentest report in the Tugboat platform as evidence under the control requiring pentesting.
Control #3 That's Often Failed: Vendor Risk Management Like risk assessments, evaluating vendors and their risk levels is straightforward. In fact, you just need to follow these two steps according to Jose and the Tugboat Security Labs team. But if you want to automate the whole process and not groan to yourself about spending 23 minutes looking for vendor risk management reports because no one in your org knows where they're kept (yeah, this happened to me), then the Tugboat platform will automate the entire process for you and keep all your reports in the platform (alongside your pentest repots and security questionnaires).
Control #4 That's Often Failed: On/Offboarding
On/offboarding employees is easy to do in theory and practice – but only if you've documented each step and organized them into repeatable checklists. Similar to risk assessments and vendor risk management, you can create a DIY checklist from this guide Jose and his team put together. But if you'd rather automate the on/offboarding process and not worry about maintaining your own checklists and collecting evidence proving that each employee was on/offboarded correctly, then you can leverage the Tugboat platform's automatic on/offboarding evidence collection feature.
Get 'Er Done! Now that you know the four controls that people often fail their audits on, you should prioritize getting these controls done well. And, don't be afraid to ask your auditor to double-check them for you well before audit time! According to Jose and our friends Liam Collins and Ryan Goodbary at Armanino, auditors really want you to pass your audit AND they want you to ask them for help.
So, ask them for all the help! (that's why you're paying them, right? 😉) As always, give us a shout if you have any questions about the controls and how to implement them.