[Author: Jim Tierney]
Your SOC 2 audit is the culmination of countless hours of hard work designing controls and producing the documentation that will hopefully prove your organization has the necessary security measures in place and operational. A third-party auditor will examine your organization’s controls and then issue a report that contains one of the following four opinions:
- Unqualified Opinion: This is the equivalent of “passing” a SOC 2 examination, meaning no issues were found in the descriptions, controls, testing, etc.
- Qualified Opinion: A mostly clean report but there was some sort of issue found, most commonly a limited scope or material misstatement. Organizations can proceed with a Qualified Opinion, opting to explain to customers and partners why the exception was rare and how it was fixed.
- Adverse Opinion: Consider this opinion a “fail,” because the auditor found that controls are not designed and/or operating effectively.
- Disclaimer of Opinion: This occurs when the auditor cannot deliver an opinion because they weren’t able to obtain the necessary evidence.
Having a plan before and during a SOC 2 audit is key to receiving the desired Unqualified Opinion. Here are some actions you can take that will improve your chances of success.
Avoid overly rigid requirements and aspirational control objectives
Don’t lock yourself into requirements that may not be achievable. An example of this would be a control that states 97% of terminated accounts will be removed within 24 hours instead of 100%. If an auditor finds an anomaly, you could still hit the 97% threshold and it won’t be a finding.
Have an access removal plan
A common pain point organizations experience is the timely review of access and termination of old access for transfers from one business unit to another. This issue is often ignored and can be a problem if you have a Database Administrator (DBA) transferring to a different role and still retaining DBA access.
Request a scope
Prior to the engagement, request in writing that the audit team provide a scope of the upcoming audit. The scope will detail the areas of concentration. Review the scope statement and examine the areas related to areas under your purview. If you encountered scope statements that are either unclear or vague in their intent, promptly notify the audit team of the issues and ask them for clarification. This will prevent any misunderstanding of the audit scope that may result in exceptions.
Monitor and test your controls before the audit
This will help identify red flags or potential audit findings. Take remediation action prior to the audit if possible. If the auditors feel that an item is a finding, the mitigation activities may blunt the impact of the finding. Also, ensure that there are policies and procedures that match the areas in scope. Perform some random research to ensure that the organization is performing what they state they are.
Keep an open line of communication
Informally meet with the auditors throughout the process to address any potential issues or findings so they can be discussed, negotiated, or addressed. Good communication and rapport with your auditor can mean that issues are dealt with more favorably and some allowance for reducing the severity of findings may be given.
Make sure you understand the audit methodology. The auditor should be able to explain their approach to testing a control. Auditors often use sampling instead of exhaustive tests. Make sure that the testing is effectively random and statistically valid.
Ask for a preliminary report
Try to get a preliminary report before the official report is issued to management. This is your last chance to catch any errors and resolve any inconsistencies prior to the report becoming official. It’s not uncommon to catch errors in how the findings were stated, findings based on communications that are not the most current, findings that were not accurate, or additional information that was overlooked.
Prepare staff for interviews
Everyone in your organization that will participate in an auditor interview should be coached ahead of time. They need to know to only answer the auditor’s specific questions and not volunteer information that may necessitate additional scrutiny. If they are not certain or uncomfortable with providing information they should defer to their management. They should not be afraid to say that they are not the best person to answer a question.
Employees should practice with their manager or security consultant before the interview so they can anticipate questions they might get and be prepared to give an appropriate response.
To further ensure your chances for SOC 2 success, read how you can avoid common SOC 2 mistakes.