8 Questions to Ask Your SOC 2 Auditor Before Signing a Contract
8 Questions to Ask Your SOC 2 Auditor Before Signing a Contract
A SOC 2 is a third-party review that attests to an organization’s ability to protect data and information. In a world where data breaches and cyberattacks are on the rise, a SOC 2 report is a valuable tool to:
- Increase insight into your organization’s security posture
- Understand opportunities for control improvements
- Position your company more competitively in your market (prospects want to ensure your organization takes security seriously)
There are a lot of vendors out there that cater to different aspects of the SOC 2 process — from software providers who help you get audit-ready to certified auditors from CPA firms who can test your environment and issue a final SOC 2 report. Ideally you will want to find a firm that can take you all the way from SOC 2 readiness to report.
Use this checklist of important questions to vet your SOC 2 auditor before signing a contract. Following this checklist will help you complete a thorough due diligence process to ensure that you partner with the right team and get the most out of your audit.
1. Are you a licensed CPA firm?
SOC 2 audits are regulated by the American Institute of Certified Public Accountants (AICPA) and must be completed by an external auditor from a licensed CPA firm. This is the only way a company can receive an official SOC 2 report. It’s important to confirm that the SOC 2 vendor you are considering working with has the proper accreditation.
2. Can you provide us with a final report?
If you are considering using a SOC 2 compliance software provider, it’s important to confirm that they also provide audit services that will result in a SOC 2 report, ideally without having to shift your information to another vendor in the middle of the audit process.
As discussed above, a final report can only be issued by an auditor from a licensed CPA firm. Many SOC 2 software providers only offer a solution to assess your readiness to complete a SOC 2 audit — they cannot perform and/or issue the SOC 2 audit and report itself.
If you choose to work with a software provider, you must ensure that they also have certified auditors on-staff. Otherwise, you’ll need to sign on a secondary vendor to complete the actual audit. This is not recommended, as it leaves too much room for things to be “lost in translation” between the two entities leading to wasted resources and delayed audit and report timelines.
A-LIGN offers an end-to-end compliance solution — with a SaaS automation compliance platform to help you complete a readiness assessment and streamline the entire audit process, as well as certified auditors to produce a final report. This creates efficiencies while maintaining control of your environment.
3. Do you offer SOC 2 readiness services?
A SOC 2 readiness assessment is a valuable tool to help you understand your company’s position before completing an official audit. A readiness assessment can help you identify gaps in your cybersecurity procedures (and the severity of those gaps) that need remediation before a SOC 2 audit. This will ultimately help you save time, set priorities, and put your company in a better position to perform well during the SOC 2 audit.
Companies like A-LIGN provide readiness services via automated software — which offers easy-to-read dashboards outlining gaps and priorities, and provides tips to navigate the audit process better.
4. What is the timeline of a SOC 2 examination?
Many software providers tout they can complete a SOC 2 audit in 14 days. It’s important to clarify this statement before signing a contract. A lot of times, the two-week timeline is an estimate for an expedited evidence collection process — but evidence collection is only one step in the SOC 2 audit process and does not result in a full audit or final report.
Ask your vendor for a complete timeline and have them outline their step-by-step process for moving through the SOC 2 audit. This is essential for you to resource appropriately. It’s also crucial to know when you can expect to have a report in hand so you can properly communicate with prospects who ask about a SOC 2 report during the sales process.
5. What does the evidence collection process entail?
The evidence collection process varies significantly based on the scope of your audit. Often it can include hundreds of requests for evidence.
We recommend using compliance automation audit software to streamline the evidence collection process and organize assets. Ask your vendor if they provide software to assist in this process.
At A-LIGN, our A-SCEND platform automatically collects evidence via cloud integration APIs.
Once collected, A-SCEND creates readable reports that are mapped to corresponding evidence requests from the “information request list” (provided earlier in the audit process). This helps you see what information is already collected and what else your team still needs to gather and provide.
Automated software significantly reduces the time it takes to collect, share, and analyze evidence. With A-SCEND, this information can also be stored and re-used to help complete other audits, saving your organization’s money and resources.
6. How many SOC 2 audits have you completed to date?
There is no substitute for experience. Choosing a seasoned SOC 2 auditor will be the difference between a fast and painless audit process that results in a reputable final report and being issued a piece of paper that no one accepts.
In addition to asking about the number of audits completed to date, you can also get a sense of a company’s experience based on the resources and information they provide about the SOC 2 process on their website. A trusted, experienced partner will be able to provide you with plenty of information to educate you about the SOC 2 process and detailed information about their services and tools.
7. In what industries do you have experience?
You’ll want to ensure your SOC 2 auditor is familiar with the ins and outs of your industry, so they understand how the SOC 2 criteria fit your organization. Plus, many elements of SOC 2 overlap with those of other necessary, industry-specific audits. If your auditor has experience in the healthcare sector, for example, they’d be familiar with the overlap between SOC 2 and HIPAA (Healthcare Insurance Portability and Accountability Act) compliance. They may be able to offer you a SOC 2 + HIPAA combined security assessment. This would allow you to complete both audits simultaneously while saving time and resources.
8. What other services do you provide that could help as we continue to grow as a company?
SOC 2 is just one of the many important audits and assessments in the world of compliance and cybersecurity. It’s common for companies who complete a SOC 2 audit to pursue other compliance priorities as well.
Plus, as mentioned above, SOC 2 overlaps with other audit criteria. Completing a SOC 2 audit positions you well to pursue other complementary certifications. Look for a vendor that offers other audits, attestations, and assessments so you can create a long-term partnership that meets all your cybersecurity and compliance needs. It’s advantageous to build a relationship with one vendor, so as not to duplicate efforts related to evidence collection and fieldwork.
From Readiness to Report with Trusted SOC 2 Auditors
A-LIGN is a licensed CPA firm and the top issuer of SOC 2 reports in the world. We have completed more than 5,000 SOC 2 audits and employ over 170+ SOC 2 auditors located around the world.
In addition to the expertise of our auditors — and our deep experience — we also offer a compliance automation software solution. A-SCEND streamlines the evidence collection process and provides you with all of the tools you need to successfully complete a SOC 2 audit, from readiness to report.
Contact us today to learn more about A-LIGN’s SOC 2 services.