Starting your SOC 2 Examination? Avoid These 4 Common Mistakes Before Your Audit

Committing to a System and Organization Control (SOC) 2 examination is an exciting endeavor. Your SOC 2 report can differentiate your organization as one who takes the security of your customer data seriously. However, with this powerful tool comes common misunderstandings about the process and factors that could hinder the success of your audit.

So how can you best prepare? Like mapping out an itinerary for an upcoming vacation or creating a menu prior to a dinner party, planning ahead can help you avoid common mistakes and ensure your organization is on the path to reach your security and compliance goals.

SOC Reports Explained

SOC examinations are a popular way to audit your organization and report on the effectiveness of your controls. A SOC report builds trust with your customers and stakeholders and develops your organization’s reputation.

BARR’s SOC services currently include: SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity. Within each examination, your organization can obtain a Type 1 or Type 2 report. Type 1 reports, referred to as point-in-time reports, test the design of your controls on a specific date. Type 2 reports are audited throughout a three-to-12 month period.

Specifically, SOC 2 reports are based on the AICPA’s five trust services criteria. While security is the only required category, you can select from the remaining criteria to best fit your organization’s needs:

Security (required)
Availability
Confidentiality
Processing Integrity
Privacy

Common Mistakes Made Prior to a SOC 2 Report

We sat down with Cameron Kline, manager of cyber risk advisory at BARR, to discuss his opinion on best practices when preparing for your SOC 2 audit. Read his insight on four common mistakes organizations make prior to starting their audit and what you can do to avoid them.

1.) Not Assigning Roles (and to the Right People)

Before starting your SOC 2 audit, it’s extremely important to assign specific roles to the right people. While BARR works as your trusted partner, you’ll be responsible for maintaining communication during your audit and designating the appropriate person to share relative information.

“Not having the correct people in place can lead to delays and exceptions,” said Kline. “It’s helpful for the people who know your controls best to serve at the forefront of your audit journey. Since they are the ones working with your controls on a day-to-day basis, it will help to assign them as lead or project manager for when the time comes to answer pertinent questions about your organization.”

Here are a few tips to assigning roles prior to your audit:

Create a plan and confirm expectations with your teammates beforehand to ensure you’re organized and ready to dive into your audit with BARR.
Select the right people for the right job so communication will flow smoothly and the correct information is being transferred.
Designate a project manager who can serve as the sounding board and organizer for your team, saving time and avoiding miscommunication.

2.) Opting Out of the Readiness Assessment

The readiness period of your SOC 2 audit prepares your organization’s policies and procedures so your assessment runs smoothly. Readiness assessments test the controls that will be examined during your audit, and your engagement lead will provide recommendations for remediation.

Benefits of conducting your readiness assessment include:

Initial testing of controls
Recommendations for remediation
Remediation of issues
Reduces chances of unexpected control gaps

Even if this is your first time approaching a SOC examination or your organization isn’t ready to complete a readiness assessment, it’s helpful to have a game plan in place. BARR works with you to determine what controls and systems should be tested and guides you through each step of the way.

“It’s important not to rush the process,” said Kline. “While BARR works with you to efficiently execute your SOC 2 report, trying to navigate your audit too quickly when you don’t yet have the appropriate resources will only lead to mistakes.”

Kline added, “Organizations are sometimes hesitant to reveal systems that may not operate effectively. However, BARR really aims to serve as your partner throughout this process and help you alleviate any pain points. Overall, we can’t advise on what we don’t know, which is why a readiness assessment is so important. We’re here to help you through your challenges and create the most successful outcome for you as possible.”

3.) Not Tailoring Your Scope

There’s no one-size, fits-all approach to identifying your scope, so it’s important to think about your organization’s individual needs. For your SOC 2 report, you’ll want to think about the five trust services criteria—security (required), availability, confidentiality, processing integrity, and privacy—and which categories best address your customer data.

“You don’t need to include every system in your scope,” said Kline. “If you’re adding too much, it could cost time; while too few criteria may result in more questions from customers or not remediating the right controls.”

You also want to avoid scope creep, which involves changing your scope after the project begins.

“Scope creep occurs when you try to move too many systems around after we’ve already started your audit. This will increase time and the likelihood of risk, so it’s important to identify and tailor your scope ahead of time. When scope creep happens, there will inevitably be exceptions to your systems and controls,” said Kiline.

A few questions BARR will ask your organization when defining your scope include:

How is your customer data stored?
Does this system process, store, or transmit customer data?
Which systems are critical in commitments to your customers?
If one system goes down, will it impact customers?

4.) Stopping with SOC 2

While SOC 2 reports are an excellent way to build trust within your organization, it’s important to think of the big picture to your security roadmap. Consider a continuous management plan that includes recurring SOC reports as well as other frameworks as you grow with your customers.

“At BARR, we leverage your existing controls and map those controls to your choice of criteria and frameworks in order to gain as much efficiency as possible and ensure we are not duplicating control testing efforts. This saves you time on evidence collection,” said Kline.

For example, BARR is only one of only nine firms in the US eligible to perform both a SOC 2 report and ISO 27001 certification at the same time. We combine our efforts to cover these frameworks, which allows you to walk away having completed two audits in one set of meetings.

Use BARR as Your Trusted Partner

It may feel overwhelming when navigating the start of your SOC 2 audit, however, the most important aspect to remember is that BARR is here to set you up for success.

“At BARR, we operate under a ‘no surprise’ policy—meaning, you won’t receive a report with surprise exceptions or gaps,” said Kline. “We also work with transparency in everything we do and guide you through each step of the engagement. Your issues become our issues, and no matter what you bring to the table when first starting your SOC 2 report, we’re here to make the process as enjoyable and seamless as possible.”