Conducting a SOC 2 Audit

Communication During An Audit

During an audit period, as a consultant or lead implementer, it will be necessary to work functionally across different departments within the organization. An example of departments that you will most likely be working closely with is listed below.

1. Human resources

2. Information technology

3. DevOps / Engineering

4. Executive Level

5. Information security

6. Board of Directors

7. Marketing

Depending on the organizations' size and structure this could change however the list above is a good starting point. During the course of an audit, you will need to address and execute on communication regarding timelines, evidence collection, and gaps found. Which in turn will require new controls to be implemented and new processes developed most likely. It will be your responsibility as a lead implementer to ensure that the communication regarding these new processes and procedures is known to all parties and documented for the organization.

Communication with auditors

You will also be responsible for communicating controls or additional evidence requests from the auditors. This is a big responsibility as getting the correct evidence could mean the difference between a delayed or successful project timeline.

Communication with executive team

Your communication will not stop with the auditors or departments within the organization. You will need to provide the executive level team with updates regarding the status of the attestation. Most importantly, you must be able to communicate potential gaps/findings that could negatively affect the opinion statements provided by the auditing firm and get those remediated as quickly as possible.

Audit Procedures and Evaluation of Evidence (Auditors' Point of View)

Once an audit period has been set with the audit team and the organization. It will be your responsibility as a lead implementer or consultant to ensure that you gather the audit timelines and procedures for the auditing team. This is vital as service auditors do not have to accept an engagement if they feel that the team members inside the organization do not have the knowledge base to assist.

Audit Procedures (High level)

1. Gap analysis performed

2. Remediation if necessary

3. Firm Selected

4. Audit dates set

5. Audit begins

6. Evidence collection through audit period

7. Evaluation of evidence collected (internal)

8. Submission of evidence

9. Evidence reviewed by auditors

10. Opinion provided

The above list is not meant to be exclusive but to provide you a high level of what is going to occur from the start of an organization's SOC 2 attestation through the end of the audit period. Some organizations will not have an internal audit function, you as a lead implementer or consultant should view this as an opportunity to review the evidence collected on behalf of the organization. Although this will result in more hours billed to the organizations, it is a vital step and a great opportunity cost for you.

Drafting Audit Plans

Implementers will need to be familiar with project planning skills. Drafting audit plans is nothing more than laying out the whole audit process on paper, and revising before coming up with a solution that meets the organizations' timelines as well as the auditors.

Example

To assist with this process, it's best to take the common control criteria and lay them out along with each control in a spreadsheet. This will provide you with a base of what is to be expected during the audit period. Next, you will want to take that information and match each control to the expected output for the control.

For example, if the organization is being tested on availability, it may want to see a list of outputs from the regions and availability zones listed inside of the organizations' cloud service provider.

Audit Findings and Deviations

Auditors for a long time have been paid on the number of findings or deviations that they typically have found. They already have the tools and knowledge on how to find these deviations and generally speaking, they should have metrics based upon the organizations' size to determine if something is wrong. After the audit period has ended and the organization has submitted its evidence. The auditing team will have two or more people comb through the evidence requested and start analyzing it.

During this time either the auditing team will come back with the following;

1. More questions and request additional information.

2. Write up a finding.

3. If the evidence is sufficient and the control is designed properly they will move on.

If audit deviations are found, this will negatively impact the organizations' SOC 2 attestation report, resulting in a qualified, disclaimer or adverse opinion. This is why it is critical to have the internal teams review the evidence and ensure that controls are constantly operating effectively.

Once the deviations have been notated they will be placed alongside the controls in the report and given a status of either no exceptions noted, or it will provide reasoning as to why that control failed. These will be listed under the column titled results of service auditors test of controls.