Tips for Selecting a SOC 2 Auditor

A Service Organization Controls (SOC 2) certification is an independent audit of your organization’s security practices. When your company passes a SOC 2 audit, you are showing both potential and existing customers that you have solid cybersecurity and organizational governance practices in place. A SOC 1 relates to financial controls, and a SOC 3 is akin to a public summary of a SOC 2. The SOC 2 certification is granted after an independent auditor attests that either there are controls in place or that the controls that are in place are operating effectively and that the controls you have identified meet established criteria.

Every SOC 2 starts with the Security “Trust Services Criteria;” however, if relevant for your organization, you can add the “Trust Services Criteria” of privacy, confidentiality, processing integrity and availability.

Type 1 vs. Type 2

There are two types of SOC 2 certifications: a Type 1, which translates to a “point in time” audit on a date chosen by you, and a Type 2, which is focused on how controls are operating over a period of time. For both a Type 1 and a Type 2, the auditor will provide and audit opinion as to:

• Whether your “System Description” accurately describes the service you provide and that it is readable to a typical user of your service.
• How well your controls are designed to meet the Trust Services Criteria. Auditors will assess this by walking through your controls and testing one sample for each control. You will show auditors your cleanest, current and most representative example of each control.
• Whether you have enough control coverage to address the relevant Criteria. A great auditor will help you identify additional controls if they think coverage is light in an area; however, they cannot create or operate any controls for you.

For a Type 2, your auditor will also test samples for each control to determine if the controls are working effectively over a period of time. The most common period of time for an audit is 12 months, but other factors may point you to a shorter period of time. Maybe your first Type 2 is only for a three-month period so that you can get to a clearly defined year end so that your next Type 2 can occur on a 12-month cadence. Or maybe the industry you serve primarily has a September 30 year end, in which case you may want to align your annual audit with their fiscal year ends.

“Do I really need a SOC 2?”

The most common reason an organization obtains a SOC 2 certification is because they have potential revenue on the line in the form of a critical sales opportunity. Procurement departments of many organizations require some form of security certification, such as SOC 2 or ISO 27001. Losing a major revenue-generating sales opportunity is not an ideal scenario!

Another common reason for getting the SOC 2 certification is to simply meet terms of your contracts with your customers. Again, many organizations have placed SOC 2 certification in their MSA or contract. If your organization does not yet have an industry standard security certification, pull out existing customer contracts to make sure you are in compliance. Being in breach of contract is also less than ideal.

Other than winning sales or meeting contract terms, another common driver is boosting brand trust to win more customers. Having that SOC 2 “badge” on your webpage shows potential customers that your security program is meeting good practice standards. It shows your customers that your organization takes security seriously and has made the investment in security practices.

“How long will it take to get certified?”

The typical SOC 2 journey – from preparation to a Type 1 to a Type 2 – can take between six and 18 months. If you are only aiming for a Type 1, allow anywhere from six weeks to nine months. The time span will be a function of the maturity of your information security program, the security resources available to you (i.e., tools, a dedicated employee or a trusted consultant) and ultimately how urgently you need to be certified to win the next big sale.

Tips for Success

• Establish solid and repeatable logical access and change management procedures and controls. These two areas typically have more room for human error or lack of oversight and, in a Type 2 audit, you can be sure that your auditor will find mistakes if any steps in these processes are missed.
• Set up solid security practices early. Start implementing good security practices earlier than you think. You are ready the day you start developing your product. Toss a few security set-up tasks into each sprint.
• Confirm the timing of controls prior to the audit. While there is no specific guidance on when controls need to be in place, most auditors will want to see annual controls occurring within that 90-day window and not one day earlier. For both a Type 1 and a Type 2 audit, kick off your pen test and perform all annual controls within 90 days of the audit date. If your organization is in a higher-risk industry subject to more hacks and actions by bad actors, the appropriate pen test window may even be no earlier than 45 days before the audit date. Confirm with your auditor on timing to make sure you don’t have to duplicate any efforts.

Tips on Hiring a Great Audit Partner

Choosing a SOC 2 auditor can seem like a dreadful, panic-inducing process, but a great auditor is a valuable partner. Plan to chat with at least three potential auditors. They should all come very close in price, so the key drivers on your decision will be how they answer the following:

1. What is your experience with a company of our size and security (Privacy, Confidentiality, Availability, Processing Integrity) maturity? Look for a firm that has experience auditing companies that are as close in size and level of security maturity as you. If you are a startup and still growing and they have no experience, you may run into a scenario where they expect a world-class security program that doesn’t make sense for where you are in your journey.
2. What is your quality review process? How many layers of review do you have? The answer to this will impact the time it takes for the auditor to deliver your final SOC 2 report. You are looking for an auditor who is committed to quality, but who is also as efficient and nimble as you are. A final SOC 2 report delivered about six weeks after the end of their field work may be OK for you, but make sure you are comfortable with their deliverable date.
3. Do you require at least one control for each point of focus? Some firms require at least one control per point of focus, while others are fine with adequate coverage for each principle. There is no requirement in the guidance that each point of focus must be mapped to at least one control. For the more operational controls, we find that this one-to-one approach leads to unnecessary, busy-work controls that don’t provide any extra layer or security or result in meaningful controls.
4. As an audit deliverable, will you provide recommendations on how we can mature our security environment? This is especially important if you are a young company. An excellent auditor will meet with you after the audit to suggest areas for improvement or processes and technologies to consider as your security program matures.

As you navigate through the SOC 2 process, be aware that the heavy lifting occurs prior to the first audit. Acknowledge that the preparation for a SOC 2 is a necessary investment and will unlock the potential for more sales by earning your customers’ trust. Good Luck!