If you’re looking for thorough answers to your questions around passing SOC 2 audits remotely or whether you should do another risk assessment, then look no further: Both Jose Costa (CISO at Tugboat Logic) and Patrick Murray (Chief Product Officer at Tugboat Logic) sat down at a virtual roundtable with two "Real Deal Holyfield" senior auditors from Armanino: Liam Collins (Partner) and Ryan Goodbary (Director, Risk Assurance & Advisory Services). Armanino is one of the Top 25 accounting firms in the US and an all-around fantastic partner to work with.
The hour-long roundtable had a lot of info (19 pages single-spaced, to be exact), and we’re working on cleaning that up into a readable format. However, we shortened and pulled out the "what you need to know" answers. Note these answers were in response to FAQs we’ve heard from dozens of customers in the past four months.
Watch the full roundtable
And read the "What You Need to Know" takeaways
1) Remote audit challenges Armanino has seen from clients
Audits are getting delayed because people are taking longer to gather evidence companies (a result of downsizing thanks to the 'rona recession). Designate a project manager to keep track of everything and everyone so your audit doesn't get delayed.
"Moving to remote audits has actually been challenging and moving companies to fully remote has been difficult for them. And to keep up with that rigor around controls means audits are getting delayed." - Liam Collians
2) What controls are no longer needed and or should be added given your company has gone remote?
Controls to focus on in a remote work world:
Your technology. Your business continuity plan (revisit it frequently). Risk assessment (revisit it frequently, especially if your vendors have gone belly up). The structure (e.g. work from home, public WiFi setting) where people are working. Remote data access: avoid making quick plans for granting remote data access to everyone. Monitor control implementation: make sure employees don't burn out and aren't able to implement them. Add/remove controls based on what makes sense for your business: work with your auditor in figuring this out.
3) How to handle the evidence collection process given that both auditors and customers can't be on-site at their office
Keep things in one place (e.g. GDrive, Tugboat Logic) and make sure that things are being done. Create the process with your auditor at very beginning of your engagement (saves time, heartache, and surprises).
4) How to best to work with your auditor
Auditors are not out to get you: they want you to pass and want to help you pass (the more secure their clients are, the better it is for everyone). Communicate (and communicate some more). Even if it feels like over-communicating, it's better to have your auditor know that you're consistently making a good faith attempt to implement controls and heed their guidance. Leverage your auditor to "block and tackle" client requests that seem like overkill, e.g., clients asking you to get SOC 2 certified in all five Trust Services Categories when overwhelming majority of companies need at most one to three categories.
TL;DR / TL;WR
Remote work and the 'rona recession have made it harder to prep for audits, but lean on your auditor to help you get stuff done. They want to help (assuming they're not the type to nickel and dime for you everything 😉), want you to be more secure, and want you to pass the audit! Hit us up if you have any questions and or want to try out the Tugboat platform.