SOC 2 is the most popular cybersecurity audit, and for good reason. This framework is the foundation for many organizations’ compliance strategies and is now an expectation to do business with customers in many industries. 

Read on to learn why SOC 2 is so popular and how your organization can begin its compliance journey with a SOC 2 attestation. Follow along and download the guide here. In this guide, we will: 

• Define SOC 2 and its criteria 

• Explain the examination process 

• Share best practices for choosing a quality audit partner 

• Spotlight real-world SOC 2 success stories 

• Give you a list of questions to evaluate potential audit partners 

Defining SOC 2 

What is SOC 2? 

A SOC 2 report (System and Organization Controls) report is an independent attestation that evaluates the effectiveness of a company’s controls as they relate to Security, Availability, Processing Integrity, Confidentiality, and Privacy.  The security of your environment is assessed against the requirements within a SOC 2 examination, known as the Trust Services Criteria (TSC): 

• Security (required) 

• Availability (optional) 

• Processing Integrity (optional) 

• Confidentiality (optional) 

• Privacy (optional) 

Who needs SOC 2? 

Service organizations that process, store, or transmit data for their clients or partners need a SOC 2 attestation. While SOC 2 applies to almost any organization, it’s particularly important to data centers, software-as-a-service companies, and managed service providers.   

Who can perform a SOC 2 audit? 

Only licensed CPA firms that are accredited by the American Institute of Certified Public Accountants can complete a SOC 2 audit. 

What are the SOC 2 Trust Services Criteria? 

SOC 2 is comprised of five TSCs. To determine which TSCs are best for your organization, it’s important to understand what type of data you store, process, and/or transmit.  

• Security: Comprised of 9 control families ranging from organization and management to risk assessment, to logical security and change management. This criterion is required in every SOC 2 report. 

• Availability: Addresses controls related to availability and redundancy of services to meet client SLAs. The Availability Criteria is a great add-on for most organizations. 

• Processing Integrity: Addresses controls related to accurate processing of customer data without corruption or unauthorized alteration. Processing Integrity is largely specific to an organization’s services and not often applicable to all organizations. 

• Confidentiality: Addresses controls related to protection of data deemed confidential between an organization and its client. This extends to any data deemed confidential. The Confidentiality Criteria is a great add-on for most organizations. 

• Privacy: Addresses controls related to the protection of Personally Identifiable Information (PII). This is anything that can be tied to an individual. Privacy is large and cumbersome, and only applicable to organizations that store, process, or transmit PII. 

The examination process 

The SOC 2 examination process is a well-defined, six-step audit cycle. The steps include: 

• Readiness assessment (optional) 

• Audit planning 

• Audit testing and review of evidence 

• Closing meeting and draft report preparation 

• Issuance of the final report 

Understanding the steps is an essential part of preparing for your SOC 2 examination.   

Building a partner team   

Before beginning your audit, you may enlist the help of tools or partners that can help you maximize efficiency, accelerate outcomes, and drive continuous growth for your SOC 2 attestation. Government, risk and compliance software solutions frequently work in tandem with your auditor, especially if they are tech-enabled with an audit management platform. This partnership typically shows up in four steps: 

• Laying the foundation: GRC tools can help you prepare for your SOC 2 audit by automating evidence collection in addition to managing policies and procedures related to your audit. 

• Accelerating with intelligence: This is where your audit partner begins their work. Choosing a tech-enabled auditor means that they can generate request lists, match evidence, and deduplicate requests across frameworks if you are conducting multiple audits, all powered by AI. 

• Realizing results: This stage will include your audit partner conducting assessments, reviewing evidence, and delivering your final report. 

• Proving compliance at scale: After you’ve earned your attestation, it’s time to show it off to the world. GRC tools can help you showcase and provide automated, secure access to accreditations to potential buyers, saving your team time and effort on manual approvals and questionnaires. 

In addition to these steps, GRC tools provide continuous monitoring, which keeps your team in the loop on potential issues and areas for improvement long after you’ve completed your first attestation. 

The readiness assessment 

Readiness assessments are an optional way for your organization to understand the current state of your compliance before entering an audit cycle. These assessments can give your team the confidence to prepare for your SOC 2 examination. Your audit partner may take one of two approaches with these assessments: 

• Traditional approach: Your auditor will perform a formal Readiness Assessment that simulates a Type 1 or Type 2 audit and results in a report with recommendations from the auditor. This option is recommended for companies that don’t have many formal procedures or have never been through an audit before. 

• Belay approach: This hybrid two-step approach has a smaller high-level gap assessment of key controls prior to the Type 1 SOC 2 examination. This approach saves time and costs and is designed for more mature organizations with formally established and implemented procedures who still have concerns or questions about their readiness for a SOC 2 audit. 

Scoping 

During the scoping phase, your auditor team will work with your organization to better understand the scope of services as well as to identify and evaluate the controls in place specific to the scope of services. The auditors will also work with your organization to further explain the SOC 2 framework and TSCs. 

Audit planning 

Once your organization has secured plans to engage a SOC 2 with an auditor, you will be introduced to the audit management team to begin the planning phase of your audit. An official kickoff call will be scheduled to discuss timing of the audit and share key planning information and provide an Information Request List (IRL) relevant to the defined scope. Your organization should review each of the requests within the IRL to ensure you understand what is being requested, then begin to gather and provide the requested evidence to the auditors. As the dedicated audit testing date nears, the audit team will set up regular touchpoints with you to answer questions and encourage your organization to upload as much evidence as possible to and audit management platform like A-SCEND or your GRC tool of choice prior to the start of testing. 

Testing and reviewing of evidence 

At this stage, the assigned auditor actively reviews all evidence and completes the required testing, which is either performed remotely, onsite or a combination of both (depending on scope). It is essential that a majority of evidence is uploaded before this phase begins. During the testing and review of evidence phase, the auditor performs the following tasks: 

• Explains testing approach based on the SOC 2 requirements 

• Confirms the key processes and procedures observed relevant to the scope of services and provides feedback on the system description 

• Holds meetings with process owners to understand the controls in place and operation 

• Reviews evidence to corroborate management’s controls and completes testing of those controls utilizing the evidence that has been provided in the planning phase 

• Asks clarifying questions relating to the evidence provided and processes observed 

• Requests additional evidence needed in support of testing the scope of services 

• Identifies and proactively communicates potential findings identified in the testing 

• Proactively communicates the status of testing and roadblocks encountered 

Closing meeting and draft report 

Step four begins once all evidence has been provided, reviewed and accepted by the auditor. Your auditor then performs various rounds of quality review, involving multiple levels audit management, and prepares a draft version of the report. When the draft report is delivered, it is accompanied by a management representation letter that must be signed by an appropriate member of the organization and returned to your audit team. Management will have an opportunity to review the draft report prior to final issuance. 

The final report 

Once you have reviewed and returned the signed management letter and draft report with your comments and suggested updates, the auditor works to finalize the report, which includes addressing any comments left by your organization. Once all comments are addressed and updates applied, the report is finalized and delivered to your organization electronically (a hard copy can also be requested). For more about these steps, download our SOC 2 Buyer’s Guide.

Selecting a quality audit partner 

Choosing the right auditor can make all the difference during your examination process. Quality auditors will drive efficiencies for your team and instill confidence in customers that your SOC 2 attestation is reputable and meets a high standard. 

There are many ways to define what makes up a quality audit partner. Here are a few considerations to keep in mind when evaluating potential auditors. 

Experience and credentials 

A potential partner’s experience and credentials is one of the first things you should evaluate when choosing an auditor. Look for partners that have been in business for a long time and have a track record of success. In addition to reputation, technical credentials are important. Is this auditor accredited with the AICPA? Only independently licensed CPAs can issue SOC 2 attestation reports. 

Report quality 

Not all reports are created equal. High-quality audit reports won’t just confirm your compliance; they will highlight areas for improvement and risk mitigation strategies that are specific to your organization’s security posture. The AICPA has developed a downloadable checklist to guide management during their review of a SOC 2 to evaluate the sufficiency and quality of the report.  

Tech-enabled services 

Choosing an auditor that embraces technology isn’t a preference anymore, it’s essential. Auditors that perform all audit tasks manually will take longer to finish your audit and may be less accurate. We recommend partnering with an auditor that uses their own audit management platform to streamline the process. Additionally, you should enlist the help of an audit partner that integrates with your existing compliance and trust management software. 

Audit process 

It’s essential to understand the process that your chosen audit partner will use to complete your SOC 2 examination. Be sure to ask any potential partners about the timeline, scoping, audit cycle synchronization, and team communication before moving forward. 

Case study: Obsidian Security 

Obsidian Security is a market leader in comprehensive SaaS security, specializing in threat management integration, third-party risk, security posture and configuration, and compliance. 

Obsidian’s path toward creating a robust security program started when the team only had 15 employees and a tight budget. Although they were a small team, Obsidian secured business from multinational, highly regulated customers with complex security needs. 

The company reached a point of inflection where they needed to scale their compliance program and meet the growing demands of their enterprise customers. With their sights set on obtaining a SOC 2 report, Obsidian looked for an audit partner to help them meet their compliance goals. 

Obsidian sought a high-quality report and efficient audit process, driven by a partnership focused on continual improvement. Ultimately, Obsidian chose to engage with A-LIGN and Drata for their audit and GRC requirements. 

Obsidian has implemented a robust third-party risk management program, which involves thorough scrutiny of attestation reports from various companies, so their team has ample knowledge on what makes a trusted high-quality, robust audit report. 

Of all the assessors’ reports, Alfredo said A-LIGN’s stands out for its well-structured and comprehensive nature, particularly in assessing performance and coverage of controls. The detailed report assures customers and prospects of proper due diligence and fosters trust with other key stakeholders. 

“The value proposition of having an audit partner like A-LIGN at the strategic level and having a partner like Drata at the technical and operational level is that you can streamline the entire audit process.” 
– Alfredo Hickman, CISO, Obsidian Security 

Checklist: Questions to ask your audit partner  

Choosing an audit partner is one of the most important steps to completing a SOC 2 attestation for your organization. This decision will impact every other step – from start to finish, your assessor will be with you through it all. This SOC 2 checklist details questions that we recommend you ask any potential assessor. 

• What is your experience with SOC 2 attestations? 

• Is your company accredited by the AICPA? 

• How many SOC 2 attestations have you completed? 

• How many SOC auditors does your team have? 

• Do you have experience conducting SOC 2 attestations in my industry? 

• Does your organization conduct other audits? 

• Are we able to pursue multiple frameworks at the same time with your organization? How does your team handle this? 

• Do you have experience identifying overlaps among multiple frameworks? 

• What can I expect during the audit process? 

• Does your organization use technology to enhance the audit process? 

• What is your response time to questions from our team? 

• How do you ensure the quality of your audits? 

• How do you define quality? 

• What sets your audit process apart from other audit firms? 

• How much will my SOC 2 attestation cost? 

• What are your rates and what do they include? 

• How long does a SOC 2 attestation take with your organization? 

• How long will each step of the process take? 

• Do you have references and case studies from satisfied customers? 

Next steps 

If you’re ready to take the next step, contact A-LIGN today to begin your journey to SOC 2 compliance. The A-LIGN difference is:  

• 17.5k+ SOC assessments completed  

• #1 SOC 2 issuer in the world  

• 200+ SOC auditors globally 

A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs. Combining experienced auditors and audit management technology, A-LIGN provides the widest breadth and depth of services including SOC 2, ISO 27001, HITRUST, FedRAMP, and PCI. A-LIGN is the number one issuer of SOC 2 and a leading HITRUST and FedRAMP assessor.