No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Tips for Selecting a SOC 2 Auditor

How to Choose the Right Partner for SOC 2 Compliance

by Justin Beals
January 8, 2021
in Cybersecurity, Featured
magnifying glass on red person icon

The role of SOC 2 compliance in securing your data can’t be overstated. Strike Graph CEO Justin Beals discusses how to find the right audit partner – one who meets your needs as they test the operational effectiveness of your systems.

A Service Organization Controls (SOC 2) certification is an independent audit of your organization’s security practices. When your company passes a SOC 2 audit, you are showing both potential and existing customers that you have solid cybersecurity and organizational governance practices in place. A SOC 1 relates to financial controls, and a SOC 3 is akin to a public summary of a SOC 2. The SOC 2 certification is granted after an independent auditor attests that either there are controls in place or that the controls that are in place are operating effectively and that the controls you have identified meet established criteria.

Every SOC 2 starts with the Security “Trust Services Criteria;” however, if relevant for your organization, you can add the “Trust Services Criteria” of privacy, confidentiality, processing integrity and availability.

Type 1 vs. Type 2

There are two types of SOC 2 certifications: a Type 1, which translates to a “point in time” audit on a date chosen by you, and a Type 2, which is focused on how controls are operating over a period of time. For both a Type 1 and a Type 2, the auditor will provide and audit opinion as to:

  • Whether your “System Description” accurately describes the service you provide and that it is readable to a typical user of your service.
  • How well your controls are designed to meet the Trust Services Criteria. Auditors will assess this by walking through your controls and testing one sample for each control. You will show auditors your cleanest, current and most representative example of each control.
  • Whether you have enough control coverage to address the relevant Criteria. A great auditor will help you identify additional controls if they think coverage is light in an area; however, they cannot create or operate any controls for you.

For a Type 2, your auditor will also test samples for each control to determine if the controls are working effectively over a period of time. The most common period of time for an audit is 12 months, but other factors may point you to a shorter period of time. Maybe your first Type 2 is only for a three-month period so that you can get to a clearly defined year end so that your next Type 2 can occur on a 12-month cadence. Or maybe the industry you serve primarily has a September 30 year end, in which case you may want to align your annual audit with their fiscal year ends.

“Do I really need a SOC 2?”

The most common reason an organization obtains a SOC 2 certification is because they have potential revenue on the line in the form of a critical sales opportunity. Procurement departments of many organizations require some form of security certification, such as SOC 2 or ISO 27001. Losing a major revenue-generating sales opportunity is not an ideal scenario!

Another common reason for getting the SOC 2 certification is to simply meet terms of your contracts with your customers. Again, many organizations have placed SOC 2 certification in their MSA or contract. If your organization does not yet have an industry standard security certification, pull out existing customer contracts to make sure you are in compliance. Being in breach of contract is also less than ideal.

Other than winning sales or meeting contract terms, another common driver is boosting brand trust to win more customers. Having that SOC 2 “badge” on your webpage shows potential customers that your security program is meeting good practice standards. It shows your customers that your organization takes security seriously and has made the investment in security practices.

“How long will it take to get certified?”

The typical SOC 2 journey – from preparation to a Type 1 to a Type 2 – can take between six and 18 months. If you are only aiming for a Type 1, allow anywhere from six weeks to nine months. The time span will be a function of the maturity of your information security program, the security resources available to you (i.e., tools, a dedicated employee or a trusted consultant) and ultimately how urgently you need to be certified to win the next big sale.

Tips for Success

  • Establish solid and repeatable logical access and change management procedures and controls. These two areas typically have more room for human error or lack of oversight and, in a Type 2 audit, you can be sure that your auditor will find mistakes if any steps in these processes are missed.
  • Set up solid security practices early. Start implementing good security practices earlier than you think. You are ready the day you start developing your product. Toss a few security set-up tasks into each sprint.
  • Confirm the timing of controls prior to the audit. While there is no specific guidance on when controls need to be in place, most auditors will want to see annual controls occurring within that 90-day window and not one day earlier. For both a Type 1 and a Type 2 audit, kick off your pen test and perform all annual controls within 90 days of the audit date. If your organization is in a higher-risk industry subject to more hacks and actions by bad actors, the appropriate pen test window may even be no earlier than 45 days before the audit date. Confirm with your auditor on timing to make sure you don’t have to duplicate any efforts.

Tips on Hiring a Great Audit Partner

Choosing a SOC 2 auditor can seem like a dreadful, panic-inducing process, but a great auditor is a valuable partner. Plan to chat with at least three potential auditors. They should all come very close in price, so the key drivers on your decision will be how they answer the following:

  1. What is your experience with a company of our size and security (Privacy, Confidentiality, Availability, Processing Integrity) maturity? Look for a firm that has experience auditing companies that are as close in size and level of security maturity as you. If you are a startup and still growing and they have no experience, you may run into a scenario where they expect a world-class security program that doesn’t make sense for where you are in your journey.
  2. What is your quality review process? How many layers of review do you have? The answer to this will impact the time it takes for the auditor to deliver your final SOC 2 report. You are looking for an auditor who is committed to quality, but who is also as efficient and nimble as you are. A final SOC 2 report delivered about six weeks after the end of their field work may be OK for you, but make sure you are comfortable with their deliverable date.
  3. Do you require at least one control for each point of focus? Some firms require at least one control per point of focus, while others are fine with adequate coverage for each principle. There is no requirement in the guidance that each point of focus must be mapped to at least one control. For the more operational controls, we find that this one-to-one approach leads to unnecessary, busy-work controls that don’t provide any extra layer or security or result in meaningful controls.
  4. As an audit deliverable, will you provide recommendations on how we can mature our security environment? This is especially important if you are a young company. An excellent auditor will meet with you after the audit to suggest areas for improvement or processes and technologies to consider as your security program matures.

As you navigate through the SOC 2 process, be aware that the heavy lifting occurs prior to the first audit. Acknowledge that the preparation for a SOC 2 is a necessary investment and will unlock the potential for more sales by earning your customers’ trust. Good Luck!


Previous Post

AICPA: Implications of Blockchain in SOC for Service Organization Examinations

Next Post

Great Women in Compliance

Justin Beals

Justin Beals

Justin Beals is the CEO and co-founder of Seattle-based Strike Graph, a compliance automation provider. He is a serial entrepreneur with expertise in AI, cybersecurity and governance who started Strike Graph to eliminate the confusion related to cybersecurity audit and certification processes.  

Related Posts

supply chain

Only 1 in 4 Manufacturers Have High Confidence in ESG Readiness of Their Supply Chains, Survey Finds

by Staff and Wire Reports
January 27, 2023

Ever-evolving regulatory requirements, consumer demand and investor expectations are all forcing manufacturers to increase the transparency of their supply chain,...

cco pressure

Survey: CCO Pressure High, Resources Low

by Staff and Wire Reports
January 27, 2023

Too few organizations are embracing compliance culture, according to a survey by FTI Consulting and Ethico, which found that while...

growth what next

Growing Pains: Mid-Sized Auditing Firms Are Seeing an Influx of New Clients, But at What Cost?

by Jey Purushotham
January 25, 2023

The era of exponential growth among mid-tier accounting firms is upon us, driven largely by the trend of top-tier firms...

board tech purchase

Directors: Don’t Approve a Tech Purchase Without Asking These Questions

by Jean Hill
January 25, 2023

Board directors don’t need to be able to fix a broken server, but they do need basic technology competence, which...

Next Post
Great Women in Compliance Podcast Directory Page Art

Great Women in Compliance

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT