What You Should Expect With SOC 2®
- Written by: Megan Soat
How do you prepare for a SOC 2® audit? Many businesses look to HBS for help with SOC 2®, so we put together this overview to help provide insight into our process. We also discuss what YOU need to do to prepare for a successful SOC 2® report.
Common SOC 2® Questions
What is SOC 2®?
SOC 2® is an externally validated report. Companies are often asked by their clients to provide some form of cybersecurity compliance report to prove they have adequate security controls in place to protect data/information shared between the two organizations.
SOC 2® reports must be completed by an AICPA firm. The CPA will conduct the audit over several months and deliver the report at the end. There are two Types of SOC 2® reports, Type I and Type II. Type I examines the design of controls at a specific point in time. Type II assesses the operating effectiveness of controls over a period of time.
Where to begin?
Once you decide to pursue SOC 2®, there are a few things to keep in mind before getting started. You need to first determine if you want assistance preparing for the audit. HBS offers readiness assessments to examine whether your business is adequately prepared for a SOC 2® engagement. And where businesses fall short of preparedness,we assistance them in getting there.
Timeframe for SOC 2®?
One big misconception about SOC 2® is the amount of time it will take. While this varies depending on your business’s size and the scope of the audit, the typical Type II audit usually takes a minimum of 8 months for the entirety of the engagement. This includes the opinion period, audit fieldwork, and time for the auditors to develop and deliver the report. The readiness process with HBS before the audit can also take an additional 2 to 3 months, depending on the preparedness of the company. If your company is looking for a quicker turn around, starting with a Type I audit may be the best path.
SOC 2® Readiness Steps:
At HBS, we have a process established to make the experience smoother for you. Here’s a brief overview of what you can expect from the first call to the final report.
Step 1: Initial Inquiry & Discovery Call
During the initial conversations, our Client Engagement team will get to know your business and walk you through the basics of a SOC 2® report. A consultant may also join the call to ask more detailed questions and help with scoping the engagement. Some initial questions include:
- What cybersecurity requirements are your clients/prospects demanding in the contracts you are attempting to fulfill?
- What is your timeframe?
- What areas of your business need to be within the SOC 2® scope?
- How many employees have access to the areas being audited? Which employees are involved?
- Where is your data stored and how does it flow through the organization?
- Step 2: Statement of Work
After we compile the information from discovery, we build the customized SOC 2® completion plan for your business. This includes the details for the readiness process, the cost, and a timeline for the work.
Step 3: Pre-Engagement Forms
Once the Statement of Work is signed, we can begin the process of preparing your company for a SOC 2®. This includes gathering more information that will be included in the SOC 2® and a list of who within your organization needs to be prepared for the process. Your lead consultant will hold a kick-off call with your team to discuss the process, set expectations and answer any initial questions. HBS will request any supporting documentation you have at this time. And a consultant will be assigned to your project based on your SOC 2® needs and their expertise.
Step 4: Readiness Fieldwork
The fieldwork during your SOC 2® preparation is how we get a first-hand look at the work ahead. During the fieldwork phase, interviews are conducted with your staff, and current security controls are reviewed to determine maturity level. Where any gaps are identified, the consultant will provide guidance on what should be in place, and how to get there. This is more than just a yes or no Q&A; it is a conversation. Your consultant will ask detailed questions to fully understand the operations and needs of the organization. At the end of the engagement, HBS will deliver a control listing with the status of each control, supporting documentation and audit evidence needed, as well as recommendations where appropriate.
Step 5: Contact Auditor & Set Up Audit
After preparation for the audit is complete and your company and HBS feel confident in your readiness, the ‘as of’ date for a Type I audit can be set or the opinion period can begin for a Type II. Most audit firms prefer a minimum of a 6-month opinion period for a Type II audit. If you haven’t selected a CPA firm to perform the audit yet, HBS can provide recommendations of firms with whom we have close relationships. If you already have a firm in mind, we’re happy to work with the auditor of your choice as well. The earlier you can get the auditors involved, the better.
Step 6: Audit Fieldwork
During fieldwork of the audit, your HBS consultant will engage with the auditors to answer any questions and help mediate any concerns that may arise. Your consultant is there as a representative for YOUR organization and will ensure the auditors stay within scope and reason. The fieldwork for the audit can take several months to complete. The more prepared and dedicated your team, the faster the process will go and the sooner you will receive the report.
Maintaining Your SOC 2®
Once you complete your SOC 2® report, the work isn’t finished. You will need to keep up with yearly audits to re-validate your controls. The best way to ensure continual compliance is to maintain your security standards and evaluate and adapt to any changes within your business. SOC 2® isn’t a one and done. Continual monitoring and activity are needed to ensure success.
Preparing for a SOC 2® may seem daunting, but it doesn’t have to be! HBS is ready to help make the process less stressful for you. To learn more, contact HBS today.