Ask an Auditor: Navigating Your First SOC 2 Audit With Jeffrey Filler From Boulay Group
CPA Jeffrey Filler from Boulay Group answers all your questions about completing a SOC 2 audit for the first time.Preparing for a SOC 2 audit can be a daunting task, especially if you’ve never been through one before. Our Ask an Auditor session with Jeffrey Filler from Boulay Group is a must-see for anyone wondering what to expect or how to be successful in their first SOC 2 audit.
About Boulay
Boulay works with individuals, closely-held businesses, and public companies to help ensure their financial success. With a team of over 250 professionals—including 35 partners and 107 certified public accountants—Boulay is committed to providing sound business advice, options, best practices and tailor-made, workable solutions.
Trusted financial advisors since 1934, Boulay’s seasoned experts work closely with individuals, businesses, and public organizations to provide in-depth accounting, audit, tax, and financial consulting.
Choosing an Audit Firm
Once you’ve decided to pursue SOC 2, researching and selecting the right audit firm is key. Jeffrey explains that developing a relationship with your auditor early on can be extremely beneficial, as it allows you to work together to determine the scope of the audit and set expectations.
How do you know which firm is right for your business?
An audit firm’s reputation can help you choose a trusted, efficient auditor. Jeffrey advises to check for a peer review that demonstrates proper quality control over their process. It’s also beneficial to select an auditor that’s familiar with the automation tool you may be using, like Drata.
How to Approach Trust Services Criteria
The Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) are control criteria used to evaluate and report on the design and operating effectiveness of controls relevant to an organization’s information and systems. The only required category is Security—the other four are optional, but depending on your organization, it may be beneficial to include some of the other categories.
Jeffrey recommends taking a look at your organization and any contractual agreements it may have with its customers in order to determine which Trust Services Criteria to include.
Here are some general guidelines:
Processing Integrity: Include if your system generates reports that customers rely on for accuracy
Privacy: Include if your organization handles personally identifiable information (PII)
Availability: Can be included in most reports to demonstrate if your system is available, performing adequately, and you are meeting your uptime commitments
Confidentiality: Can be included in most reports to demonstrate clauses related to confidentiality in your contracts with customers
Security Personnel and SOC 2
Contrary to popular belief, organizations do not need to have a CISO to successfully undergo a SOC 2 audit—many companies don’t have the resources or the personnel. It is important to have a designated point person during the audit, and Jeffrey advises that it should be someone that can respond to security related matters in the event the auditor does uncover a security incident.
So, if not a CISO, who should be the auditor’s point of contact? Either the CTO or someone on the IT team that deeply understands the systems. This person should be able to access and provide documentation, coordinate with the auditor, maintain open lines of communication, and explain how your system works and its key controls.
They also should know who to loop in for other aspects of the audit, like HR personnel about operational risk controls, or someone on the software development team that can discuss change management.
These are just a few of the topics covered in this edition of Ask An Auditor. Check out the video to hear Jeffrey’s answers to these questions and others, including:
What are the biggest factors that impact the length of time between the start of the process and the actual SOC 2 report?
What are the most common areas that organizations often find themselves to be non-compliant?
What happens after an audit?
For more information about SOC 2 audits, other frameworks, or compliance automation, sign up for our bimonthly newsletter, Trusted.