A SOC 2 report is a third-party validation that attests to an organization’s ability to protect data and information. It’s widely accepted across industries and provides a singular asset that can be used in the due diligence process with multiple prospects and customers — replacing the need to undergo a custom cybersecurity audit with each new customer.
To obtain a SOC 2 report, a company must submit to an audit whereby assessors evaluate the internal controls used to secure information, along with the systems, technology, and staff roles within the organization. Although some organizations tout they can complete this process in two weeks, experienced CPAs repeatedly declare that 14 days is simply not enough time to properly and thoroughly complete all aspects of the SOC 2 audit process.
In this blog, we’ll review each step of the SOC 2 audit process and explain how long each aspect of the audit process takes. This piece is meant to serve as a general guideline, as audit timelines can vary significantly based on the size of a company and the complexity of its environment and services.
Step 1: Find the Right Partner and Team
The first step toward completing a SOC 2 audit is to engage with an audit partner. It’s important to note that SOC 2 audits are regulated by the AICPA and reports can only be generated by an external auditor from a licensed CPA firm — like A-LIGN. Once you engage with a partner, there will be some preliminary discussions to define the scope of the project and sign a contract.
If this is your first time pursuing a SOC 2 report, we highly recommend completing a SOC 2 readiness assessment to examine any gaps in controls or processes prior to an official audit. This can help you save time (and money) before undergoing the bulk of the SOC 2 audit process.
Once you’re ready to officially proceed, contracts will be signed and the official engagement will begin. At that point you will be introduced to your SOC audit team. At A-LIGN, SOC 2 audit teams typically consist of a senior manager, manager, and auditor.
Senior managers and managers act as primary points of contact during preliminary discussions. Auditors take over as the point person when it’s time for walkthroughs, testing, and evidence review. All three of these roles work together throughout the entire audit to ensure you are supported and informed every step of the way. By leveraging the A-SCEND platform, clients are able to have direct access to the audit team to flag, ask questions, and submit evidence on a real-time basis. The tool will help companies stay organized throughout the audit process and have a clear understanding of what is required.
Step 2: Information Requests
Estimated Timeline: 2-3 Business Days
First your audit team will generate an Information Request List (IRL) for your organization. This list of essential information is based on:
- The prior year’s report (if you have completed the SOC 2 process before)
- The scope
- The trust services criteria
- Other factors determined during the scoping phase (ex. new technology, locations, third-party services being leveraged, cloud hosting services, etc.)
When partnering with A-LIGN, your audit team will publish this list for you through the A-SCEND platform. The A-SCEND platform is an audit and compliance management software tool that streamlines the audit process. A-SCEND keeps all evidence requests in one single place, tracks your audits progress, automates your readiness assessment, and consolidates information for any future compliance audits you may want to pursue.
After the IRL has been published, there will be a call with the SOC audit team to re-confirm the timing and scope of the project.
Step 3: Evidence Collection for a SOC 2 Audit
Estimated Timeline: Varies
Depending on the scope of the audit, the time it takes for evidence collection can vary. To expedite the process, clients can use automated evidence collection (AEC) and the Policy Center with the A-SCEND platform.
Evidence collection can be a time-intensive process. Many experts recommend using compliance software tools to help reduce time and make the process more efficient. At A-LIGN, we encourage clients to use our tool, A-SCEND. Our software automatically collects evidence via cloud integration APIs. Once the evidence is collected it is transformed into readable reports that are automatically mapped to the corresponding evidence requests from the IRL. This process reduces the amount of effort, time and resources required for providing evidence.
If the need for a SOC 2 report is urgent, the collection period can be shortened. If you anticipate this will be the case for your company, it’s important to be prepared. Consider gathering essential materials prior to your kick-off call with your audit partner so everything is organized in one place. We also recommend you make sure you have staff resources assigned to assist with the SOC 2 process ahead of time, so you can reduce the risk of other internal priorities cutting into your SOC 2 efforts.
Step 4: Fieldwork
Estimated Timeline: 2-6 Weeks
Once evidence collection is complete, fieldwork (formal walkthroughs of your environment) will officially begin. The goal of this phase is to gain an in-depth understanding of your organization’s controls, processes, and procedures related to people and technology. The length of fieldwork will vary depending on the scope, locations, applications, and trust criteria. Generally, you can expect this phase of the SOC 2 audit process to last anywhere between two to six weeks.
Step 5: The SOC 2 Report
Estimated Timeline: 3 Weeks
After completing the walkthroughs and testing, the SOC audit team will generate a SOC 2 report for your company. The SOC 2 report comes in two parts:
- Draft: You’ll receive a draft report within three weeks of completing the fieldwork, sometimes earlier depending on deadlines and the complexity of the scope. During this draft report phase, you’ll have the opportunity to review the assertion, opinion, system description, and testing of the controls. If necessary, you can provide feedback or ask questions of the audit team. Once the draft report is approved internally, you’ll sign a management representation letter and notify your SOC 2 team that they can proceed with the final report.
- Final Report: One to two weeks after the draft has been approved, you’ll receive a final report with any updates or clarifications requested in the draft phase.
Partner with A-LIGN to Begin Your SOC 2 Audit Journey
Founded in 2009, A-LIGN is the top issuer of SOC 2 audits in the world. We have completed over 5,000 SOC 2 assessments and can confidently say that a proper SOC 2 audit takes at least eight weeks to complete. In planning for your SOC 2, beware of the “14-day audit” promise — this is likely only referring to the audit readiness timeline. At A-LIGN we provide the tools and expertise to help you during every step of the SOC 2 audit journey — from readiness to report.
Ready to pursue a SOC 2 audit for your business? Speak to an expert at A-LIGN to get started.