Should You Prepare for Your SOC 2 Audit Internally (Without Software or a Consultant)?
If you’ve looked into it, you know there’s a lot of information out there about the best way to prepare for your SOC 2 audit. After scrolling through a page or two of SOC 2 search results, you may have thought to yourself “can’t I just do this myself?”
This is not an uncommon question. So, to find out we interviewed professionals and SaaS leaders (outside of Tugboat Logic) who have done exactly that. They have either led or worked on a SOC 2 audit readiness project completely in-house and across different industries, like healthcare, fintech, and retail.
Keep reading to learn about the interviewees’ experiences and what they think are the important considerations, benefits and challenges of working towards SOC 2 internally.
Important Reminders For Getting Ready for a SOC 2 Audit Internally
What is most important to consider when thinking about starting a SOC 2 readiness project in-house? Here’s what the interviewees had to say:
Employee Education and Buy-in for SOC 2 Audit
In order to fill SOC 2 requirements, your employees will have to go through some kind of security awareness training. However, if you choose to complete your SOC 2 readiness project in-house, the security training and education cannot end there.
This is important no matter what method you choose to prepare for your SOC 2 audit, but is particularly critical when working towards SOC 2 in-house because:
“When you do a SOC 2 readiness project in-house, there will 100% be bumps in the road, no doubt, it’s not going to be smooth. Your team needs to be regularly trained on your SOC 2 objectives, roadmap, and best practices for when issues happen.” – Ankur Garg, Chief Technology Officer at Atlas MedStaff
OutSourced SOC 2 Controls
You can still outsource some of the SOC 2 controls you’ll need if you choose to get ready for your SOC 2 audit internally. For example, background checks, security training, mobile device management, pen testing and anti-virus software can all be outsourced by different vendors.
Here are some tool vendors recommended by our security team:
- Background checks: Checkr
- Security training: Knowbe4
- Antivirus software: Bitdefender
- Pen testing: Cobalt
- Mobile device management (MDM): Jamf
For each control you choose to outsource, you will have to find a vendor that works for your business, your budget and will keep your data secure in a manner that complies with your business’s unique SOC 2 requirements. Without SOC 2 compliance software, you may have to do all these vendor risk assessments manually.
Independence is important across InfoSec frameworks. Basically, the concept means employees should not assess or test controls that are connected to their daily activities. For example, your controls around background checks should not be assessed by members of your HR team. Independence is not mandatory for SOC 2 but is regarded by SOC 2 auditors as best practice.
However, if you hope to expand your business or services to Europe, there will be potential customers that require you to have an ISO 27001 attestation to do business with them. ISO 27001 requires independence.
So, considering independence in your SOC 2 policies and controls will make your ISO 27001 journey much faster and easier. This helps you keep focused on selling more in those new markets.
“Independence is challenging to consider when you are preparing for an audit in-house. Because, there are so many controls connected to your security team. The easiest way to do this now is through compliance software that can automate testing of your controls for you.” – Steven Maske, Sr. Manager of Cybersecurity at a retail enterprise
Pros of Preparing for Your SOC 2 Audit in-House
Now that we have gone over the important considerations for working towards SOC 2 in-house, what are the benefits?
Full Control of Your Audit Readiness Project
When you prepare for a SOC 2 audit in-house you create all your security policies, controls and evidence tasks from scratch. This allows you to have full control over your SOC 2 project and documentation from beginning to end.
SOC 2 automation compliance software provides you with policy and control templates that show you where to add customizations for your business and industry.
But, when you get ready for your SOC 2 audit in-house, you can center the particularities of your business in each policy and control from its creation.
Multidepartmental Seamless Communication
Although good SOC 2 software providers or consultants should make communication easy, internal communications are always easier than external communications. You will be able to communicate with everyone who is working on your SOC 2 project with the internal lines of communication you’re already using everyday with an in-house project.
Cons of Preparing for Your SOC 2 Audit in-House
When we asked the interviewed professionals what challenges they faced when preparing for SOC 2 audit in-house. Here’s what they had to say:
An in-house SOC 2 audit project can be really expensive in the long run for two reasons. You might have to hire expertise and it takes time. Here’s why.
Hiring in-House Expertise
SOC 2 is not one size fits all. So, you’ll need someone who can guide you on your unique SOC 2 audit journey. If you hire a compliance officer, they’ll need not only SOC 2 expertise but also experience and knowledge of the particularities of your business and industry.
One person will have to be to be fully dedicated to the project, no matter the size or industry of your organization. Hiring this kind of talent is also not cheap, the average cost of a compliance officer is 100,000 USD.
“We have an in-house security team of four people. Our team was completely dedicated to the audit project for 6-8 months. We had to take our focus off all other projects. All our other priorities had to go on the backburner for a long time.” – Ankur Garg, Chief Technology Officer at Atlas MedStaff
If you have a security team or officer already, you may save money in upfront costs by completing your SOC 2 audit readiness project internally. However, you will still spend more money in the long run because as we all know, time is money.
“You will spend more money in the long run doing in-house simply due to wasted time, mistakes and inefficiencies.” – William Floyd, Chief Technology Officer at Futu US
As Ankur added, “as the project manager of the in-house SOC 2 project, I often spent more time creating and explaining tasks for my security team members and evidence tasks owners across our company than it would take to actually complete those tasks.
Even if you have access to expertise in-house, if you think a certain task will take you a month to complete—triple that.”
See how compliance software saves you time in this clip from our “Securing the Startup Tech Stack” webinar with Blake Brannon (Chief Strategy Officer at OneTrust), Cailin Sullivan (Security Engineer at Appcues) and Joe Sullivan (Chief Security Officer at Cloudfare).
Organization, Storage and Access Are Difficult
When you get ready for your SOC 2 audit in-house your documentation will live in many different places, across many different employee devices. Your policies may be in Google Docs, controls in spreadsheets and then dozens of folders of screenshots for evidence.
Even the best project manager will find organizing, storing and accessing all this challenging.
This is one of the primary reasons Tugboat Logic was created by security professionals. They were sick and tired of not having a centralized system of record that would have everything for their security projects in one place.
“You need to track all policy and control changes for your SOC 2. Without software, this tracking is not automatic. Sometimes people make updates and forget to note them. It’s very challenging to then go back and say who made that change, when and why.
I have now made the switch to compliance software. We needed our documentation and workflow organized, stored and tracked in one place. Only software can do this for you.” – William Floyd, Chief Technology Officer at Futu US
You controling everything about your SOC 2 project from beginning to end can be a benefit of preparing for your SOC 2 audit in-house. But, it’s also a challenge.
You won’t have access to any automation when you work towards SOC 2 in-house. So you’ll have to manually:
- Create and maintain all documentation (policies, controls, and evidence tasks).
- Pull evidence from your techstack on an ongoing basis and attach it to your controls to show your auditor your controls are working as intended.
- Build and manage project roadmap, assign tasks owners and ensure task completion.
- Create and complete a risk assessment that includes all possible risks associated with your business and their remedies.
- Build any requested reports for prospective customers around your security practices and environment.
- Maintain continuous compliance to ensure you have everything in place to pass your next annual audit.
As Steven Maske, Sr. Manager of Cybersecurity at a retail enterprise said, “there is so much monotonous, manual and tedious work involved with preparing for a security audit internally. I wouldn’t recommend it. I’ve been in security for 22 years, I have done SOC 2 in every possible way and have even been a SOC 2 auditor.
I wouldn’t do an in-house SOC 2 project ever again. If you can automate certain processes, why not? Spend resources on what saves you time. Compliance software is how I do this with every company I work with now because it’s the most effective and easy way to actually pass your SOC 2 audit.”
SOC 2 compliance automation software does automate everything listed above through in-platform features and integrations. This is how we’ve seen businesses who use software cut their audit readiness times by as much as 60%.
Increases Possibility For Error
Preparing for your SOC 2 audit in-house greatly increases the possibilities of human error.
You’ll have to ensure there are no mistakes made in all the manual tasks discussed above on your own.
When a mistake occurs and your auditor catches it, it doesn’t just increase the time of your SOC 2 journey. It is also very expensive. Because, for each mistake your auditor will bill you more hours.
As Mitul Sampat, Technical Specialist at CitiusTech said, ”when I prepared for a SOC 2 audit internally I was the project manager and it was painful. Especially working in healthcare, there are a lot of specifics to keep track of. SOC 2 software will automatically collect and monitor evidence for your controls. That level of assurance is just not possible without it.”
Ankur Garg, Chief Technology Officer at Atlas MedStaff added, “the requirements of these security frameworks are always changing. ISO 27001 just had a crucial update that many missed because they didn’t have access to the right expertise. Before starting an in-house SOC 2 project, consider if you have the resources and capacity to take on full responsibility for every possible mistake or outcome.”
Tugboat Logic & SOC 2 Audit Readiness
This may all feel overwhelming still, but remember you are not alone. If you still have questions about preparing for your SOC 2 audit in-house, or using any other method, our team of experts is always here to help.
If you like the sound of trying an automated SOC 2 software that saves you time and money while giving you access to first-in-class security expertise, grab a free trial of our platform.