S2 E1: Preparing for a SOC 2 Audit

Preparing for a SOC 2 Audit


Jordan Eisner: All right, here we are back for another round of Compliance Pointers. I’m your host, Jordan Eisner, VP of Sales at CompliancePoint, a mid-size consulting firm that supports our clients with risk management in the areas of information security, privacy, and regulatory compliance.

Today we’re talking about SOC 2, specifically what organizations should be doing regarding preparing for SOC 2 audit.

So I’m joined by Jim Tierney, Senior Manager on our Assurance Team at CompliancePoint. Jim has been a SOC 2 specialist for us for almost two years now, I think, or maybe just right around there. And before that, he held a variety of positions for more than 20 years, correct me if I’m wrong on that, Jim, at PWC. So yeah, give our listeners a little of your background before we get into the topic today.

Jim Tierney: Yeah, so I started my professional career at PWC. I started as a help desk technician, then I became a manager of the regional help desk services at PWC, shifted to security about 12 years ago out of our Tampa office. And I’ve worked in all phases of IT security, risk, and compliance with the various governance roles including risk management, issues management. I did all the questionnaires that clients send and then assisted PWC in achieving their first SOC 2 type 2.

Since then, I’ve been at CompliancePoint helping clients prepare and achieve their first SOC 2 in many cases and or improving their control monitoring for ongoing efforts.

Jordan Eisner: All right, well, let’s dive right in then. So I like for our listeners, or we like to start with a high-level overview of the topic. So just talking about a SOC audit, who conducts them, you know, tells a little about the different types of attestations they hear SOC 1, SOC 2, SOC 3, right? Type 1 versus type  2. What criteria you want to put in, right? How have you drawn the scope and the boundaries, right? Sum that up for us a little bit just to start and then we’ll get more into strategy.

Jim Tierney: Yeah, so, you know, basically, charter or certified public accountants, you know, CPAs, they conduct the SOC 2 attestation. You know, the SOC is service organizational control. So it’s really an attestation that differs a little bit from a certification in that you’re really putting things in place and then you’re getting an opinion from professional auditors about the status of your control environment.

So there are different types of reports. The SOC 2, type 2 is the most popular and that’s because it extensively outlines the control environment. It also includes testing procedures and results for those. So you can imagine why clients would want that because they can see what actual tests were performed and they get the highest level of assurance.

The SOC 2, type 1 is a great first step for people who are getting their control environment in order. The opinion differs because the CPA offers an opinion in the attest of your control’s design and that’s a point in time report. It gets you, you know, basically halfway there. You have controls that have been ratified and attested to and after that you can shift into your next step would be, you know, logically and probably good for your clients to a SOC 2, type 2 where you then focus on implementation of those controls. And that’s, you know, the major difference between the type 1 and type 2.

The type 2 is a period of time, so your controls have to operate effectively throughout the whole scope of the period.

A SOC 3 has the same kind of test procedures as the SOC 2, type 2. The difference is the report. So the report is what we say like windowed down. It’s the Joe Friday version, just the facts. It’s the advantage of the SOC 3 is having it demonstrates that you materially meet the AICPA Trust Service Criteria and that’s it. It doesn’t show the actual test procedures or results. And the reason people add the SOC 3 to say a SOC 2, type 2 is that you can share it with anyone. So this gives you, this opens the door for prospective clients for, you know, you could even post it on your website.

And SOC 1 is more financial related, so that is really, that’s focused on the system itself. It’s for companies that are going to rely on your system for their financial reporting. So when I hear SOC 1, I’m thinking, you know, you must deal with, typically you would deal with some kind of financial application or something like that. And those are very, those are highly customized to what exactly you’re doing.

Jordan Eisner: And I’m guessing SOC 2 was born out of SOC 1 just because of the numerical order, but, and that’s also part of why a CPA is required to do a SOC 2 even though it might not necessarily be financial data.

Jim Tierney: Well, I think the SOC 2 is, you know, meant for more general service organizations. So it’s the way CPAs sort of expanded into, hey, why don’t we, instead of just focusing on, you know, financial reporting, you know, there’s other important aspects that service organizations need to have under their belt. So they came up, you know, with the SOC 2 and that has, you know, a list of established trust services criteria that would apply in most cases to, in some degree, to all reports.

Jordan Eisner: Well, thanks for that. One thing we’ll talk about as we talk about strategies for, you know, a successful SOC 2 audit is you’ll hear the word control, control owners thrown around. I think we throw around that term pretty often, at least here at compliance one, because we’re all used to it, we understand it. Maybe we take for granted sometimes that people have different definitions of control. So just give like an example or two, right, of like a control or, you know, define that. I know that’s not necessarily a question we prefer beforehand, but I think that’s a good, you know, kind of preamble, right, before we start asking about control owners and other things.

Jim Tierney: Yeah, control is, and in SOC 2, they’re, you know, individual to the company. You can, you know, make your own controls. But it’s basically a, you know, a statement of how you manage a particular facet of, you know, security availability, confidentiality.

An example would be all employees are vetted before being given access to the sensitive data environment. So, you know, you have that statement, and that’s something that, you know, has to be executed on the back end.

So, you know, in testing that, you know, a CPA would look and say, okay, show me the background checks of everybody and the dates they started, and then check that against when they were granted access to sensitive systems.

There are some that are, you know, focused on human capital. There’s some that are just focused on, you know, managing the environment. Some are focused on, you know, access controls, always a big area to have control and to have established controls.

And then there’s like systems, too, so you want to, you know, something like, hey, all of our, all systems have intrusion detection on them, you know, something like that. So easy to test.

I’d say the cleaner, the cleaner, the control, the, you know, easier it is for the CPA to test and the easier it is for your control owners.

Jordan Eisner: Yeah, that’s kind of a segue to my next question. Okay, you know, talking about successful audit and we’ll start with, it probably makes sense to avoid overly rigid requirements and have realistic control objectives, right? So, talk more about that, right? You were just getting into it, but, you know, you don’t want to make it too hard for yourself.

Jim Tierney: Yeah, think of it as management has the duty and responsibility to assess risk in their organization. So there’s no reason to have controls that are, you know, tighter than what the defined risk posture is. So you have to have enough to support management security objectives. So, you know, I steer clients away from, I would say, like aspirational controls and for that matter, policy statements because, you know, they are more likely to fail tests.

So you want a control that can be implemented and executed predictably and repeatedly. So with that case, you know, finding the balance of, you know, what makes the environment secure? What are we capable of executing and having that?

That doesn’t mean you can get away with, you know, having controls that are so weak that they don’t do anything, but it does mean, you know, don’t have like, you know, backups are going to be tested every day, you know, every failure will be remediated in the same day, you know, something crazy.

Jordan Eisner: Every employee is going to be vetted before they have access to sensitive data and the vetting can take no longer than one hour.

Jim Tierney: Right. Yeah, you want to, you know, have a realistic risk profile, which, you know, part of SOC 2, you will have, you know, put together a risk assessment. And so making risk-based decisions is the right way to design controls and to operate the environment.

Jordan Eisner: Let’s talk about control owners, right? What are they expected to do? Who are they?

Jim Tierney: Yeah, if your organization is new to SOC 2, then people may not realize that they’re, despite what they’re hired for now, they are also control owners. So this is, you know, the individual typically like, you know, at least a line manager who operates a process.

So you know, for instance, the human capital manager would own the controls around employee onboarding typically. So the control owner is responsible for making sure that the HR processes are followed, that they can evidence that the controls are working properly, etc. So it’s not, you know, usually a control owner is related to the area in which the control is established. That’s, you know, that’s key.

And you know, just usually this is like a side job of, you know, making sure that, hey, I’ve also got to be accountable and make sure this is executed as part of my role.

Jordan Eisner: You know, I remember when our organization was going through SOC 2, I thought it was good and it seems, and I tell other organizations this when they’re considering it, it’s important that, you know, this is communicated from the top down. This is a team effort. It’s important for the organization. These are the benefits, right? And that starts with the executive team all the way down, right? In terms of control owners and doing your part as part of it.

Jim Tierney: Yeah, absolutely. That can’t be understated because, you know, it’s, you know, security 101 is management buy-in. So without management support, it’s going to be very challenging to line up the resources to make sure people have the time to also be control owners in the environment. And frankly, a lot of any kind of SOC 2 readiness effort is going to depend on management support. And there are typically controls that management is going to be in charge of operating. So they’re likely to be control owners themselves.

So you’re not going to get anywhere without, you know, some level of buy-in from management.

Jordan Eisner: Let’s talk about policy and procedure documentation. That’s very important for SOC 2.

Jim Tierney: You know, policy is the backbone of your program. So it’s vital. And you know, what you want here again is, you know, you don’t want some aspirational policy where you write it super tight and you don’t leave any kind of flexibility to make risk-based decisions.

So policy should be, you know, higher level and accurate. So I don’t think you want to get into difficult to execute minutiae at the policy level. You know, it’s really kind of, here’s how our security program is structured. Here’s what management expects.

And that’s critical on the other side because, you know, a CPA auditor coming in, to them, policy is management’s view of how things are actually operating. So when they find violations of your own policy, that will be listed as an exception or deficiency of some kind because they, you know, this is something that management has said is happening and it’s not happening. So you, you know, not only does your internal organization need to know this, the consumers of your product also will be informed if it’s a SOC 2 Type 2.

So it’s important to get the right level. You know, policy should be high level. It should be reviewed at least annually and save some of the details for your procedures. So procedures are where you kind of will get more definitive and, you know, about the actual processes as they are.

And you know, my typical consulting advice is start with what you’re doing because that’s, you know, not only will that, does that make sense. To me, a procedure or standard operating procedure, that’s the opportunity for someone to have, like, a document that demonstrates how to run a certain something.

So if they bring somebody in, you know, this document, I think, should be useful to them in showing how you run the environment. That way, the individual who wrote it or is in charge of it can move on to other things and meanwhile, they can know that there’s some standard of, there’s some standards in place for operating that particular thing.

So procedures, again, you don’t want to get too aspirational. You want to just say what is and, you know, make sure it meets your kind of risk profile that you’re doing the right things and that it’s, you know, predictable and repeatable.

Jordan Eisner: High level but tells the truth. Predictable and repeatable.

Jim Tierney: Procedures can get really, you know, they can get more detailed. Which is fine. You know, including down to like screen caps of like, hey, here’s how we set the security on this particular system. That’s fine because procedures are expected to change, you know, with greater frequency than I would say policy.

Jordan Eisner: And so you talked about CPA firms a little bit and what they’re looking for and how they view policy and we’ll come back to them. But, you know, maybe to that tune, right, they expect the policy to be management or the policy is how the organization should be running and really we’re looking to see that the activities, the operations mirror that. So what’s the best way to find gaps or red flags in that, right, of the security program before an audit, right, to see where the policies aren’t being followed, right, and the procedures don’t mash that up. It doesn’t mirror, right. What’s the best way to go about determining that in a way that you can figure out or roadmap how to fix or mediate those before an audit?

Jim Tierney: You know, there’s just get organized around, you know, the SOC. So you know, have the list of controls and of those, some of them will need to be checked more frequently than others. But you want to basically establish a control monitoring program.

So some things that might make sense to, you know, make sure that people reviewed access every quarter. Checkpoints for, you know, did we run our vulnerability scan when we were supposed to? Are we remediating things in line with, you know, what we’ve defined in our vulnerability and patch management policy?

So you know, creating that list of all the controls and then highlighting when you need to go back and check on some of those mid-year. That way you don’t have, you don’t find out, you know, a month before the audit that, you know, you missed two quarters of scans or people didn’t do their user reviews. You nail that like when it needs to be hit so that you capture that periodic evidence.

So I would, you know, think of it to have a successful audit. Think of it as a year-round program. It doesn’t mean you have to stare at the controls every day and go like, oh my gosh, I, you know, did we get a new hire today? But it does mean periodically checking on, you know, all of them, making sure there’s a status because there’s things you want to capture to make the audit move more smoothly.

So you want to capture those important meetings and agendas. You want to capture those scans. You want to capture your efforts for remediation. You want to catch any kind of thing that might be broken in your new hire onboarding process, catch it early.

So check that first quarter. Look at who started. Look for evidence of access requests. Make sure that their background check was done. Make sure that they completed security awareness training. So the best way is to programmatically and periodically throughout the SOC 2 period is identify which controls you need to test along the way. And that is a robust control monitoring program.

Jordan Eisner: Right, and that is necessary to prepare for an audit, right?

Jim Tierney: Now, depending on the approach of the auditor, some do like interim and update testing. So they come in like six months and 12 months. But often you’ll find they come at the end of the period and look back for the whole year.

Jordan Eisner: So it better have been working.

Jim Tierney: It should have been working the whole time. And one of the kind of areas is it like as soon as you get one report, it’s not uncommon for the control owners to scurry away. And you know, you got to bring them back.

Jordan Eisner: You’re talking about subsequent years, right?

Jim Tierney: Yeah. By the time you get the report for the last period, you’re in the next period.

Jordan Eisner: Right. Because it feels like probably such a race, a sprint, right? Or marathon.

Jim Tierney: Yeah, there’s a lot of work that, yeah.

Jordan Eisner: You’ve been taken from the mountaintop, put right back down at the bottom and said climb again.

Jim Tierney: Yeah. So it’s, you know, you got to make sure that, you know, give people, you know, give them a little break. But by the end of the first quarter, you know, come back and like, hey, let’s at least check on, you know, these big areas with periodic controls that we need to make sure are operating.

Jordan Eisner: What about specific to the audit, right? I know that that obviously goes into preparing and the controls need to be functioning, right? You need to demonstrate and provide that evidence. But what about for the actual audit part of it where you’re going to meet with the CPA firm and they’re going to request this information, what’s the best way to prepare for that?

Jim Tierney: Yeah, I would say, you know, have, you know, discussion with all the control owners, prepare them for, you know, talking to the auditor. Think of them as interviews. So what you want control owners to do is adequately represent their areas and to, you know, stay focused on, you know, what the controls are and what evidence they have.

Sometimes it does make sense to present a certain area, you know, that may have some complexities. You may have a presentation of just like, hey, here’s how we operate this area. It’s not necessary for everything.

Some of this stuff is pretty black and white, like, give me all your current employees. Out of those, give me these 10, show me that they, you know, updated their security training, etc.

But the, and also just to kind of put your control owners at ease, you know, it’s an interview with, you know, sometimes there’s a little bit of nervousness about dealing with auditors, but it’s really just present your controls in with the scope systems, be confident with what you’re delivering.

And then I would say I would caution against kind of oversharing, you know. I’ve been a part of some audits where, you know, a control owner just starts waxing poetically about things that aren’t really, wasn’t really a question and that are at best impertinent and can be damaging to the impression that you’re leaving with the auditor.

So just be prepared, confident, and as far as organizing with the auditor, I would say, you know, take the time to discuss with them when they’ll be doing their testing, when you can start getting them some of the evidence so that you can move the audit along. Some evidence you would, you know, you already have, it’s ready, so go ahead and get that into their hands. And then others, you know, they might have to wait till the end of the period so that they can test the whole period, you know, have that marked out. Like here’s all my, the evidence I can give them now. Here’s the evidence that we will have to get them as soon as the period closes, as soon after as we can so that they can select their samples.

Have a good relationship with them, you know, give them what they ask for and.

Jordan Eisner: Well, that’s what I was going to ask. I think that’s a good bridge to sort of the last question I wanted to ask today. You talk about having a good relationship with the CPA firm. How should a company go about selecting a CPA, right, to do this attestation? You know, what are some, maybe some key things they should look for or consider?

Jim Tierney: Yeah, I would say look for, I would say the kind of right level of firm for your organization. So there’s some questions I would ask is like, you know, has your firm worked in the area of my particular business before? Do you have experience dealing with kind of similar systems that we have or in this in this industry?

So try to line that up because you get more kind of understanding and less back and forth on explaining what those things are.

And then, you know, look at reputation. Is it, you know, if you’re a small company, do you want to go try to, you know, achieve a big four audit? You probably want somebody kind of, you know, size and scale that would kind of fit with your organization.

And then I would, you know, look at, you know, see if there’s, if you have industry peers who they’re using, talk to people. If you have, you know, somebody like Compliance Point Consulting, you know, ask them about relationships they have and who they might recommend.

When you talk to them make sure you vibe a little bit, you know, right? Hopefully you have this relationship for a long time because it does make, you know, subsequent auditors, audits, you know, somewhat more predictable in that, you know, you kind of you both get to know each other and the organization so you know where to kind of look and what to fix.

Jordan Eisner: Well, there you have it. From the from the mind of a SOC 2 expert, right. How to prepare for what controls you need to have, you know, why all this matters, how to select a firm.

So thanks for coming on, Jim. Very helpful. And thank you to our listeners.

If you haven’t, make sure you subscribe to avoid missing future episodes. If you’re already subscribed and enjoying the content, please be sure to leave us a view.

And if you’re interested in learning more about CompliancePoint, our SOC 2 readiness services, for instance, or, you know, we partner with a lot of companies on SOC 2 do that attestation. So maybe some advice from us on what firm fits your profile.

Check us out online at compliancepoint.com. Enquire with us at connect@compliancepoint.com or reach out to Jim or myself directly on LinkedIn.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.