With SOC 2 compliance becoming ubiquitous across SaaS, and in many cases pursued for the first time by teams with competing priorities, auditors are seeing some common patterns of mistakes being made in the process.
Lack of resources. Lack of communication. Lack of understanding about what SOC 2 actually is, and much more.
So, if you're taking on a compliance effort, how can you avoid these common issues? What mistakes should you watch out for?
Here's what he had to say about the 9 most common mistakes...
Mistake One: They don't get leadership on board
Most change initiatives fail to reach at least one of their objectives, according to an IBM study. And one of the main reasons big changes fall short is a lack of leadership support.
In Fine's words: "[SOC 2 success] comes down to leadership involvement. The difference between an audit that is going to go quickly and an audit that's going to be a train wreck and a battle has to do with leadership support…That support gives people time to prepare, and it gives them the budget to implement new controls."
The answer to this challenge, Fine says, is to get leadership involved early. Make sure they understand how long compliance will take (and how long the audit process itself will take). Get them on board with the changes you need to make. And make sure they're communicating those changes across the company. Because SOC 2 compliance doesn't just happen in the tech team. It happens in HR, with new hires, and in the policies management puts in place.
Mistake Two: They think it's only application security controls
Security is the focus of almost every SOC 2 audit. But companies run into trouble when they think the audit is limited to testing security controls around core applications. The truth is that it also includes policy-writing, onboarding and offboarding processes, governance, risk assessments, vendor management, and other non-technical elements.
As Fine explains: "50% of the audit has nothing to do with the security of your software. It's risk management. And it involves more people in the company than just engineering and DevOps.
"Most people have good security in their system. Engineers know how to build security in—and it's easy to fix if they don't. The controls that trip companies up are often non-technical in nature. When I onboarded an employee, did they sign off on all their documents? Did they do security awareness training? Do they adhere to HR policies throughout the year? This is the part most companies miss."
The good news is that putting these policies and procedures into place now is good for the company in the long-term. As Fine says, "It's easier to scale processes when you're smaller instead of scrambling to add them as your company doubles or triples in size."
To avoid this pitfall, plan early for how you'll implement your onboarding, offboarding, policies, and governance controls.
Mistake Three: They don't realize how many people need to be involved
If SOC 2 compliance extends past your security personnel, it should come as no surprise that the audit also extends past them. When you plan for your audit, make sure you set aside time for HR personnel, policy owners, and anyone else responsible for security program governance. Your auditor will need to work with them, as well as with your security personnel.
Mistake Four: They don't understand the reporting period for a type 2 audit
Becoming "compliant" (aka "audit-ready") takes time. And if you need a SOC 2 type II report, the reporting period (typically between three months and a year) should start no earlier than the day you become compliant (when all controls have been implemented and are operating effectively). If the reporting period starts before that date, you risk having many control exceptions, since your auditor may test controls going all the way back to day one.
This means companies that need a type II report put in the time and work to become compliant and then wait, sometimes for a whole year, before they can validate that compliance with a report.
Then there's the audit itself, which involves assessing 80 to 100 security controls. Simply gathering the control evidence can take 2 to 4 weeks, unless you're using an automation platform like Drata.
This means if you are not SOC 2 compliant and you need a type II report, you may be looking at over a year before you can get it.
In other words: planning ahead is essential.
As Fine explains, "There's a lack of understanding of how long it actually takes to get a type II. There are a lot of companies that try to sell it as a fast and easy process—two weeks and you're done! That's unrealistic for the audit, and it's impossible if you haven't had controls in place for the past three to six months. You need time to prepare, implement controls, find an auditor, and allow three to six months for the reporting period."
Mistake Five: They don't communicate across the organization
Sales and marketing need to understand the length of the process and how close you are to compliance. Leadership needs to know what capacity, budget, and tools you need. HR and other departments need to be developing and implementing policies and procedures. In short, SOC 2 involves your whole organization and communication needs to happen across teams.
The risk of not communicating, according to Fine, is that "the sales and marketing teams over promise. Then there's pressure to get things done faster and the company gets sloppy about putting things together."
Mistake Six: They don't understand how much documentation they'll need
"Policies and procedures are not fun to write," Fine says, "and you definitely need those. Who's going to take time to do them when you're bootstrapping a company and growing?"
Not to mention, he adds, "There are 80 to 100 controls just for security—and you need evidence for each. Gathering and providing that and making sure it's the correct evidence to support the control is vital."
Fine digs deeper into the documentation quagmire, explaining, "The system description is an overview of the system's infrastructure, software, people, data, and controls and must be included in the SOC 2 report. For small to medium size organizations, it is usually 15 to 20 pages in length, but for enterprise organizations, it can easily be 25+ pages. Your CPA firm will probably provide a template, but you still have to take the time to write and update it. Your description must be accurate and complete and align to the controls being tested in your audit. Many CPA firms leave this out when talking to prospects during the sales process. But you need to know how your CPA firm will assist you in writing this section. You need to plan."
The bottom line here is that there's a lot of documentation involved in both becoming compliant and getting your audit. Before you even begin, you should be asking who'll be in charge of each piece and what time you need to set aside for them to do that job.
Mistake Seven: They devalue type 1 reports
A type 2 report that shows your business has been compliant for six months or nine months or 12 months is more valuable, for sure. But that doesn't mean type I should never be on your radar.
In fact, a type 1 report can help you prove to your customers and clients that you are working toward long-term compliance. Not to mention these reports can act as a final check after you have all your controls in place—making sure you haven't missed something important (because, heaven knows, you don't want to find out six months or nine months later that you missed something key and now your type II report isn't as clean as you'd hoped).
In Fine's words, "Type 1 is quicker. You can get something in your customer's hands, tell them, 'We're on the path to type II and in the interim, we did a type 1. We plan to mature.' If you wait six or seven months to get your type II report, you have nothing to show leadership [and clients] for your efforts, nothing to prove the result of all the work [for months] you put in preparing."
Mistake Eight: They don't prepare for the cultural shift
Here's a hard truth: Security forces us to do things that we may not culturally want to do.
Culturally, companies (especially tech companies) may want to give lots of freedom to their employees. Bring your own device, use it how you wish! But SOC 2 may require us to put end point security in place that sets stricter limits.
The good news here is that there's a balance to be found. Employees who don't want security measures on their personal devices can be provided with secure company devices, for example. And the better you communicate why you're making security changes, the more likely people are to come on board.
Mistake Nine: They don't realize they need a CPA
SOC 2 sounds like something security companies do, but—surprise!—you actually need a licensed CPA.
The reason is that SOC started out with financial reports (SOC 1), and who better to handle your financial report than a CPA? Then, as security became top-of-mind and often intersected with financial reports, it just made sense for the AICPA to develop a second type of report (SOC 2) focused on security.
If the thought of finding the right CPA firm for your SOC 2 report gives you hives, Fine has some tips: "Any CPA firm can do a SOC 2 audit, so everyone will say they can do it. But does the firm know what they're doing? Some might only do 10 in a year and [their lack of expertise means] you get stuck in a miserable experience.
"You really want to ask these kinds of questions: Do they answer your questions in CPA lingo or do they communicate requirements in terms you understand? Will they educate you on processes and guide you through the audit? Do they understand your tech stack? Will they use software that makes the audit easier? Will they take a 'by the book' approach or will they be fair and reasonable and willing to collaborate?"
How to avoid these SOC 2 pitfalls
There are several keys to avoiding these common mistakes. First, make sure leadership is on board and focus on company-wide buy-in. The more everyone is aligned on a change, the better your chances of success.
Second, understand how much work and documentation goes into the process and plan accordingly. Flag these pitfalls and make sure your strategy, process, and workflow factors in the common risks.
Third, make sure you have the right tools (and people) in place to help you succeed. This may mean a SOC 2 automation platform like Drata that'll help you with auditor-approved policies, automated evidence collection, control monitoring, and reports to prove your continuous compliance posture. And it'll definitely mean finding the right CPA firm—with experienced, tech security-savvy professionals like Troy Fine who can walk you through the process—to do your audit.
Troy Fine joined Schneider Downs in 2011 and is currently responsible for managing the execution of information security and cybersecurity attestation engagements. As an information security professional and auditor, Troy helps clients manage their security program within the context of their overall risk environment. He is currently a CMMC Provisional Assessor and a Registered Practitioner. His areas of expertise include, SOC 1 examinations, SOC 2 examinations, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST assessments, HIPAA assessments, ISO 27001 assessments and third-party risk management assessments.