SOC 2 Audits: What Your Organization Can Expect From Start to Finish

Companies that undergo a SOC 2 audit are taking a big step in their compliance journey. They’ll need to provide documentation around their security program and proof of internal controls, but is there more to prepare for? Knowing what to expect with a SOC 2 audit is the key to ensuring that the entire process goes smoothly.

Understanding Who Can Perform a SOC Audit

A licensed Certified Public Accountant (CPA) Firm must perform a SOC 2 audit. CPA Firms must adhere to specific professional standards established by the American Institute of Certified Public Accountants (AICPA) to ensure CPA firms meet strict quality standards when performing SOC 2 audits.

All CPA firms that perform attestation under the AICPA standards also undergo peer reviews, which confirm that their practices align with attestation standards from the AICPA. Other professionals with relevant experience may participate in the audit process, but a CPA firm will sign and issue the final report. 

It’s up to you to find a CPA firm that you want to work with. Each firm, though they’ll be moving towards the same goal, will have a slightly different approach to the SOC audit process. If you’re comparing multiple firms before making a choice, ask them about how they operate.

SOC 2 Audit Process: What You Can Expect 

Once you have some knowledge about who can perform this audit and what you have to have in place, you can walk through the steps to actually complete the audit. Here’s a look at what needs to happen during the process.

Scoping

Several parts of your business will need to be assessed as part of the audit. 

This will include your company’s: 

• Tech stack

• Data flows

• Infrastructure

• Business processes

• People

Discuss the scope with your auditor in advance so you can gather all the information you need for this to be a successful audit and to ensure the scope will cover the needs of a broad range of customers.

Determining which Trust Service Categories to include will also be a part of scoping. Security is the only category required to achieve SOC 2 compliance. However, there are other categories, including availability, confidentiality, processing integrity, and privacy. Every category doesn’t necessarily need to be part of all audits, because each one will not apply to every company. 

If you don’t consider the categories you need to adhere to, you’ll get an incomplete picture of what’s actually necessary to protect your information, and you won’t be able to show your commitment to compliance. That’s why it’s critical to include this step in your planning before the actual audit begins.

Fieldwork

After you provide all the necessary information to your auditor, they will review evidence for each in-scope control. They also may schedule walkthrough meetings with you to obtain an understanding of controls through observation. They may ask for clarification on the evidence provided or for additional evidence. 

Specifically, during a SOC 2 Type 2 audit, your auditor may need to request populations and randomly select samples to ensure controls operated over a period of time. 

Controls that may require populations and samples may include: 

• New hire onboarding

• Access removal for terminated employees

• Background checks

• Security awareness training

• Code reviews for application changes 

Final Report

Once the auditor completes the fieldwork, they will determine if any control exceptions were identified based on the evidence provided (or lack of evidence provided) for each control tested. The results will be documented in an extensive report that includes a description of your internal control environment. Typically, audit firms will provide you with a draft report for your review before issuing the signed report. 

Upon approval of the draft, your auditor will request your signature on a management assertion letter and a management representation letter. They will perform a final subsequent event inquiry to determine if significant events took place after the audit period that materially impacted your internal control environment, such as significant information security incidents or changes to the organizational structure. Once these steps are completed, you’ll receive your final SOC 2 report.

General Timeline

Completing an audit can be time-consuming and complex. But, knowing how long the process takes from start to finish will make it easier to plan for and work through. Depending on the type and scope of an audit, an audit from the start of fieldwork to issuing the final report will take on average, four to eight weeks. 

Avoiding Delays

It can take a long time to get the evidence, and you have to make your personnel available for the auditor. If your evidence collection is delayed, the reporting process and the day you get your report may be pushed back. Make sure to obtain an audit timeline from your auditor so you are aware of the key audit milestones and your responsibilities for ensuring each milestone is met.

The system description can also cause delays if it’s poorly written—a common mistake companies make with SOC 2 compliance. Be sure to work with your auditor early on in the process to ensure you include the required information to avoid this setback.

Simplify the SOC 2 Audit Process

Do you have more questions about how a successful SOC 2 audit happens? Schedule a demo to see how Drata can help you understand and automate compliance.