What Can and Can’t Be Automated for SOC 2

Categories: SOC 2 Tags:

Everyone is searching for a simplified SOC 2 experience but there’s some confusion about what can and can’t be automated for SOC 2. It’s not something that can be 100 percent hands-free.

Reducing your number of daily decisions is a form of automation. It’s how you streamline processes, limit distractions and save time and manpower. So by default, manual implies the opposite—especially with SOC 2. As a result, you can’t help but feel a bit panicky as you prepare for what you assume will be a labor-intensive experience that will suck the joy out of your day-to-day tasks. But not all manual tasks are complex. 

For example, take those smart coffee machines that consistently deliver a decadent caffeine experience. As a home barista, you can choose between a cappuccino or a basic cup of black, set a program to run or even ask Alexa to do it for you. So fast! However, you’re still responsible for installing a coffee pod and filling the water reservoir manually for the machine to complete the task. The hands-on, manual expectations are quick, clear and straightforward, though.

Manual work for SOC 2 is similar. With the right automation, the manual evidence collection tasks are a lot like adding water. You save time and end up with a successful audit to pair with your delicious cup of coffee. Let’s take a look at some examples of what can and can’t be automated for SOC 2.


What Can Be Automated for SOC 2

Most organizations face the same SOC 2 challenge—ensuring their team implements the necessary controls and properly document evidence. Automating evidence tasks saves time, money and a heck of a lot of stress.

When searching for SOC 2 software, automated evidence collection and integrations are a high priority. Tugboat Logic includes smart integrations that map to your specific controls and policies. In addition, the AutoCollect Dashboard is an extensive repository of use cases, with new ones released monthly. These include everything from Code Review and Cloud Firewalls Rules to MFA and Penetration Testing.

We follow best security practices rather than using an agent tool to pull data. You connect directly to your vendor, so none of the data goes through our internal system. Your data stays yours.

Check out a list of our integrations by use cases specific to all significant industry frameworks, including but not limited to SOC 2.

So, how long does SOC 2 take? Well, collecting evidence manually or without Tugboat Logic takes anywhere from six to eight weeks. Tugboat Logic saves you half the time! We guide you through setting up all the evidence you need to collect. And equipped with alerts, you’ll know ASAP if there are errors, where the problem is and how to fix it. You can even collect evidence at a requested frequency and monitor them to ensure you’re staying compliant. Like a set it and forget it function.


What Can’t Be Automated for SOC 2

If a software provider claims to automate the entire SOC 2 process, they’re seriously stretching the truth. In fact, it’s just not possible. So instead, ask them questions specifically about the following manual tasks. 


HR-Related Tasks Like Background Checks

Most organizations use a third party for background checks. All the information they’re supplied is pulled into whatever HR system they use. Depending on the position in question, background checks may include:

  • Criminal records
  • Employment history
  • Reference checks
  • Citizenship status or a work visa 
  • Credit history
  • Education 
  • Social media profiles
  • Driving record
  • Medical records

Does a SOC 2 auditor require Bob’s traffic ticket from 2012? Not at all. In fact, that’s private information that they definitely do not want in their possession! Auditors want to see evidence that the background check was completed, but not the contents of the check. 

Collecting this information manually just makes sense. That way, data requiring redaction or removal is confidently completed. Will you fail your SOC 2 for sharing Bob’s traffic ticket with an auditor? No, but it does increase back and forth communication with your auditor, potentially delaying completion


Executive Management Review Meetings

Companies typically have executive management meetings or board meetings on a set frequency. These quarterly or semi-annual meetings generally are not run through software. But, they usually have presentations. The decks include company performance, strategy points, and overviews resulting in discussions. Those are documented in meeting minutes. The minutes and the visuals may be stored in the cloud, but an integration won’t pull the evidence a SOC 2 auditor requires. 

There’s information in these presentations and confidential notes similar to the background check. A screenshot with redacted information is plenty for evidence regarding executive management review meetings. And if your auditor is looking for something specific, they’ll guide you.


Business Continuity and Disaster Recovery Plans or Tests

Business continuity and disaster recovery plans or tests can be managed with sophisticated software. However, it’s still common in businesses of all sizes to maintain these on good old-fashioned printouts. After all, if a disaster occurs and the connection to your network is lost, how will you know what to do? That’s why Word or PDF docs are still routine. 

These plans also require annual testing. Multiple departments review them and provide feedback for revisions. Then there’s real-life scenario testing. What was the scenario? When did you execute the plan? What was the outcome and which departments were involved? Organizations maintain all of this manually within their documents, making it easy for auditors to collect the information relative to the SOC 2 audit via screenshot.


Maximum SOC 2 Automation 

Automation is always appealing, especially when it comes to any security framework—they’re a huge task! We’re the best in the biz and automate almost 90% of the SOC 2 process. But, as we’ve just explained, there will always be a bit of manual evidence to collect. That’s why we built a screenshot tool for Google Chrome to assist with the manual collection, so it’s even less lift! And it’s all connected to your controls for simple attachments!  

From scoping to understanding your SOC 2 report and maintaining continuous compliance, Tugboat Logic supports and guides you every step of the way. And everything you do, even the manual work, is interconnected. Like a GPS (another time-saving automation tool we’d be lost without!), our platform updates your route, estimated time and shows you any delays on the way to SOC 2 compliance. 

Questions? Still uncertain about SOC 2? Feel free to get in touch with us. We’re always happy to help.