SOC 2 Compliance Checklist: 9 Steps to Take Before Your Audit

A System and Organization Controls 2 (SOC 2) audit is an in-depth examination of your organization’s processes, systems, and controls as they relate to security, availability, confidentiality, processing integrity, and privacy—do you know how to prepare for that?
It may seem overwhelming, but it doesn’t have to be. We’ve created this easy-to-follow checklist to help you start your journey to SOC 2 compliance.
Reasons You May Need a SOC 2 Report
There’s a variety of reasons why your organization may need a SOC 2 report. Here’s a closer look at some of the most common ones.
You’re a Software Provider That Handles Sensitive Information
Cybersecurity concerns are top-of-mind for organizations. Global cybercrime costs are expected to grow by 15% per year over the next five years—reaching $10.5 trillion annually by 2025. With that in mind, it’s more important than ever for your enterprise customers to ensure that their information will be secure when using your services.
Therefore, having a SOC 2 report will not only help build trust with your customers but could potentially be used as a sales tool and ease a prospect’s decision of choosing your product.
An Increase in Outsourcing
As outsourcing rises in popularity, the number of organizations asking about SOC 2 compliance is rising as well. To be a trusted vendor for your industry, it’s in your best interest to pursue this attestation.
Uncovering Value
A SOC 2 report provides valuable insights into your organization’s risk. This has the potential to help you avoid the costs associated with a breach. It also gives you a competitive advantage over companies that choose not to take this step and can’t prove compliance.
SOC 2 Audit Checklist
What goes into the preparation and execution of a SOC 2 audit? These are the steps you can expect to take and more details about what to do during each part of the process.
Determine if a Type 1 is Necessary
Determine Your Scope
Communicate Process Internally
Perform a Gap Assessment
Remediate Control Gaps
Update Your Customers and Prospects
Monitor and Maintain Controls
Find an Auditor
Provide Requested Evidence to Auditor
1. Determine if a Type 1 is Necessary
To get started with SOC 2, the first step is to determine if you would like an auditor to perform a SOC 2 Type 1 audit prior to the auditor performing a more rigorous SOC 2 Type 2 audit.
When performing a SOC 2 Type 1 audit, auditors review policies, procedures, and control evidence to determine if controls are suitably designed to meet the applicable SOC 2 criteria. The audit covers a point-in-time and the resulting report will state whether or not controls were suitably designed as of a specific date.
When performing a SOC 2 Type 2 audit, auditors perform a more rigorous audit. In addition to determining if controls were suitably designed, they will also review evidence to determine that controls were operating effectively over a period of time to meet the applicable SOC 2 criteria.
Because of the nature of a Type 1 versus a Type 2, organizations typically will engage an auditor to perform a Type 1 audit prior to a Type 2 audit. However, Type 1 audits do not need to be performed prior to completing a Type 2—organizations can choose to undergo a Type 2 audit without ever undergoing a Type 1 audit.
Customers will typically accept a Type 1 report for their vendors undergoing a SOC 2 audit for the first time, but they will more than likely expect a Type 2 report moving forward.
2. Determine Your Scope
SOC 2 audits cover a system which includes the following components as defined by the AICPA’s attestation standards: infrastructure, data, procedures, software, and people. As part of scoping, you will need to determine the system components that are in scope.
Beyond that, you’ll also need to determine which Trust Services Categories to include.
The Trust Services Categories are:
Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
Availability: Information and systems are available for operation and used to meet the entity’s objectives.
Processing integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.
Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
You don’t have to include all five Trust Services Categories. Security is the only mandatory category, however, Availability and Confidentiality are frequently included.
3. Communicate Process Internally
An imperative action to execute throughout your SOC 2 audit planning process should be to communicate internally with key players.
Your organization’s executive management and department leaders (Human Resources, Engineering, DevOps, Security, IT, etc.) will be responsible for participating in implementing controls and providing evidence to the auditor. Explaining the who, what, when, where, why, and how of the audit will be crucial to preparing employees for their obligations.
4. Perform a Gap Assessment
One of the first steps on your SOC 2 journey will be to perform a gap assessment. Look at your existing procedures, policies, and controls to help better understand your current security posture and which controls you still need to implement to meet the applicable criteria of the Trust Services Categories.
5. Remediate Control Gaps
Once your gap assessment has been completed, it can take time to remediate and ensure that SOC 2 control mandates are being achieved. You will need to spend time with your teams reviewing policies, formalizing procedures, making necessary alterations to software, and any additional steps like integrating new tools and workflows. This will allow you to take the steps necessary to close gaps before the audit takes place.
6. Update Your Customers and Prospects
In the spirit of transparency and building trust, discuss with your team a few ways to promote your security practices with customers and prospects. Although you don’t have to announce that you’re pursuing SOC 2, you can still outline the processes you have in place to keep their data safe.
On your website or social media, consider outlining a high-level overview of:
Any continuous security control monitoring you have in place.
Employee training.
Penetration testing you’ve conducted.
Data encryption procedures.
7. Monitor and Maintain Controls
Now that you’ve made remediations and added controls to reach SOC 2 compliance, establish processes that help you and your team continuously monitor and maintain those controls. If you haven’t already, implement a tool that can automate control monitoring and evidence collection.
8. Find an Auditor
Before you begin looking for an audit firm, it’s important to determine what you’re looking for in an auditor. The right auditor can do much more than conduct your audit—they can help you understand and improve your compliance programs, streamline the process, and ultimately achieve a clean SOC 2 report.
Look for someone who:
Answers your questions intelligently and in a way your team understands.
Understands your industry.
Collaborates well with you and your team.
Has good references.
For more tips, head to our article on how to find the right auditor.
9. Provide Requested Evidence to Auditor
At this stage, you’re ready to begin the audit process. Once you provide all the necessary information to your auditor, they will review evidence for each in-scope control, verify information, schedule any walkthroughs, and provide you with the final report.
To get an in-depth look at the entire audit process, read our article on what your organization can expect from start to finish during a SOC 2 audit.
If you’re ready to put your journey to SOC 2 on autopilot, schedule a call with our team to see how.