How do you prepare for a SOC 2 audit? Unless your company has a client requesting a SOC 2, or some type of compliance report, you probably don’t know much about them. That’s okay!
Many businesses come to Pratum looking for help with SOC 2, and with years of experience in the area we can help guide you to have a smooth preparation and audit. Here’s an overview of our process, and what you as a company need to have prepared to be successful.
What is SOC 2?
Very simply, SOC 2 is a compliance report. Many times, a company will be asked by a client to provide some sort of compliance report to prove the company has adequate security measures in place to protect any data shared between the two businesses.
SOC 2 reports must be completed by an AICPA firm. The CPA will conduct the audit over several months and deliver the report at the end. There are two Types of SOC 2 reports, Type I and Type II. Type 1 examines the design of controls at a specific point in time. Type II addresses the operating effectiveness of controls over a period of time.
Where to begin?
Once you decide to pursue SOC 2, there are a few things to keep in mind before getting started. You need to first determine if you want assistance preparing for the audit. Pratum offers readiness assessments to examine whether your business is adequately prepared for a SOC 2 engagement as well as assistance with getting there.
Timeframe for SOC 2?
One big misconception around SOC 2 is the amount of time it will take. While this varies depending on your business’s size and the scope of the audit, the typical Type II audit usually takes a minimum of 8 months for the entirety of the engagement. This includes the opinion period, audit fieldwork, and time for the auditors to develop and deliver the report. The readiness process with Pratum before the audit can also take an additional 2 to 3 months, depending on the preparedness of the company. If your company is looking for a quicker turn around, starting with a Type I audit may be the best path.
At Pratum, we have a process established to make the experience smoother for you. Here’s a brief overview of what you can expect from the first call to the final report.
Step 1: Initial Inquiry & Discovery Call During the initial conversations, our Client Engagement team will get to know your business and walk you through the basics of a SOC 2 report. A Consultant may also join the call to ask more detailed questions and help with scoping the engagement. Some initial questions we may ask include: What all is required in any contracts you’re trying to fulfill? What is the timeframe you’re working with? What is the scope of the SOC 2 you need? How many and which employees have access to the areas being audited? Where is your data stored and how does it flow across the organization?
Step 2: Statement of Work After we get all the information needed, Pratum’s Client Engagement and Consultants come together to build the customized plan for your business. That includes the details for the readiness process, what it will cost, and a timeline for the work.
Step 3: Pre-Engagement Forms Once the Statement of Work form is signed, we can begin the process of preparing your company for a SOC 2. That means getting into some more detailed questions about what will be included in the SOC 2 and who needs to be prepared within your business. The consultant will hold a kick-off call with your company to discuss the process, set expectations and answer any initial questions. Pratum will request any supporting documentation you have at this time as well. If you haven’t selected a CPA firm to perform the audit yet, Pratum can provide recommendations of firms we have close relationships with. If you already have a firm in mind, we’re happy to work with the auditor of your choice as well. The earlier you can get the auditors involved, the better.
Step 4: Readiness Fieldwork The fieldwork during your SOC 2 preparation is how our Consultants get a first-hand look at the work ahead. The consultant assigned to your project will be hand selected based on their expertise and how it can benefit you. During the fieldwork phase, interviews are conducted with the necessary staff and current security controls are reviewed to determine maturity level. Where any gaps are identified, the consultant will provide guidance on what should be in place, and how to get there. This is more than just a yes or no Q&A; it’s a conversation. The Consultant will ask detailed questions to fully understand the operations and needs of the organization. At the end of the engagement, Pratum will deliver a control listing with the status of each control, supporting documentation and audit evidence needed, as well as recommendations where appropriate.
Step 5: Contact Auditor & Set Up Audit After preparation for the audit is complete and your company and Pratum feel confident in your readiness, the audit opinion period can begin. Most audit firms prefer a minimum of a 6-month opinion period. If not already in communication with the auditors, this is the time to reach out to them to discuss timelines and schedules.
Step 6: Audit Fieldwork During fieldwork of the audit, the Pratum Consultant will be present with the auditors to answer any questions and help mediate any concerns that may arise. The Consultant is there as a representative for your company and will ensure the auditors stay within scope and reason. The fieldwork for the audit can take several months to complete. The more prepared and dedicated your team can be, the faster the process will go and the sooner you’ll receive the report.
Keeping Up Your Compliance
Now that you’ve completed your SOC 2 audit, the work isn’t finished. You’ll need to keep that up with yearly audits to re-validate your controls. The best way to ensure continual compliance is to maintain your security standards and evaluate and adapt to any changes within your business. SOC2 isn’t a one and done. Continual monitoring and activity are needed to continue to be successful.
Preparing for a SOC 2 may seem daunting, but it doesn’t have to be! Pratum is ready to help make the process less stressful for you. To learn more, contact Pratum today.