Ask an Auditor: February Recap
Compliance doesn’t have to be complicated. The compliance team at Drata is here to help you with our Ask an Auditor series.On your journey to compliance, we know you’ll have many questions—and (hopefully) we have answers. With that in mind, we started our Ask an Auditor series where Troy Fine, a 10-year auditor turned Drata in-house compliance expert, answers your most pressing compliance questions. Here’s a recap of our first episode and you can watch the full video below.
Watch the Full Video
What Are the Requirements for SOC 2?
Since SOC 2 doesn’t have prescriptive controls, a lot of it is subjective. When it comes to requirements, you can’t point to specific controls. SOC 2 only requires that you have controls in place to meet the applicable criteria of the Trust Services Categories. The categories are classified as security, confidentiality, availability, processing integrity, or privacy.
Within each one of these categories, there are many criteria you’ll have to meet. To meet those criteria, you have to implement a set of controls. As you go through a SOC 2 audit, a CPA firm will use their professional judgment to determine if the controls you have implemented were suitably designed and operating effectively to meet the applicable criteria. In addition, you’re required to provide a system description. This description will serve as a narrative of your control environment, infrastructure, software, people, and all the data involved in your system.
What’s the Most Common Mistake Companies Make Working Towards SOC 2?
Not getting leadership buy-in. Unfortunately, leadership in many small- to medium-sized businesses tend to view SOC 2 as a check-the-box exercise.When SOC 2 is seen as just an item on a checklist by leadership, that sentiment can trickle down through the organization leading to low funding and resources allocated to buying strong security tools and building robust programs.
Can I Leverage SOC 2 for an Internal Audit for ISO 27001?
Ultimately, it will come down to the professional judgment of the ISO 27001 certification body. However, if your goal is to leverage your SOC 2 Type 2 report for your internal audit, you’ll need to be intentional during your planning for SOC 2. Otherwise, your SOC 2 report might not cover everything needed for an ISO 27001 internal audit.
Start by inquiring with your CPA firm to determine if they are comfortable with performing an internal audit for ISO 27001. If they are, they will request additional items during the SOC 2 audit in order to obtain coverage of the ISO 27001 clauses and Annex A controls that were not covered by the testing they performed for the SOC 2 audit.
Upon completion of the SOC 2 and internal audit, your auditor will issue a SOC 2 report and an ISO 27001 internal audit report. Any non-conformities identified in the internal audit report will need to be addressed and risk treatment plans will need to be documented prior to the beginning of our ISO 27001 Stage 1 audit.
Do We Need to Get a SOC 2 Type 1 Before SOC 2 Type 2?
According to the attestation standards, there’s no requirement to do a SOC 2 Type 1 before a SOC 2 Type 2. However, getting a SOC 2 Type 1 first has some advantages.Since a SOC 2 Type 1 is a point-in-time audit, meaning it’s a snapshot of your organization’s controls at a given time, it can be leveraged as a readiness assessment or dry run for your SOC 2 Type 2. It can help you identify any gaps before your auditor reports any exceptions while assessing the effectiveness of your controls over time in your SOC 2 Type 2 report.
How Do You Show the Value of SOC 2 to Leadership?
Manage expectations upfront. Get leadership involved at the beginning and present SOC 2 in a way that will resonate with them. For instance, senior management might not fully understand or have the time to dive into the intricacies of controls, but they’ll care about the potential risks and negative impact of not going for SOC 2 or not getting a clean report. You may want to cover:
Potential consequences
Expected timeline
Resources needed
Anything else you’ll need from leadership
How Much Access Should My Auditor Have on a Compliance Automation Platform?
Before compliance automation tools (like Drata) auditors didn’t have the same level of visibility into your controls. Now, auditors can have read-only access into the daily operation and possible failures of a control at any day during the audit period—which, understandably, causes concern.Since there isn’t any guidance on how auditors should use compliance automation platforms during the audit, you’ll want to get their perspective from the beginning. To start the conversation, you can ask:
If you see an exception on a random day during the audit period, will you report on it?
Do you have a tolerable rate of deviations that you’re using if, for instance, our controls are efficient 95% of the time?
If you’re not comfortable with giving your auditor full access, a platform like Drata lets you choose a hybrid approach for their level of access. For instance, your auditor will be able to see evidence from your SOC 2 Type 2 audit period and download a sample of the continuous monitoring tests Drata performs for a sample of days throughout the Type 2 audit period.
I Have Not Been Asked for a SOC 2: Why Would I Pursue One?
It really comes down to whether or not you’re looking to build a strong security program. SOC 2 will serve as assurance to the outside world that your company is taking security seriously and as a stepping stone for building a robust security program. If you’re a cloud service provider or a SaaS company and your goal is to enter the enterprise market, you’ll inevitably be asked for your SOC 2 report. Therefore, having SOC 2 can be leveraged as a sales tool while building those controls early on and will allow you to scale quickly.
What Recommendations Would You Have for a First-Timer Pursuing SOC 2?
Find the right tools and people that can help guide you—especially if you wear many hats within your organization. Again, since SOC 2 controls are very non-prescriptive, it can be hard to figure out where to begin. You can start by looking for the right automation platform, a consultant, and a CPA firm that can point you in the right direction. From there, we recommend you spend some time going over the criteria, what a control statement and activity is, and what an auditor would look for during your audit.
As a Company With a SOC 2, Can I Work With a Vendor Without One?
The short answer is, yes. However, it’s not recommended to work with a vendor that manages sensitive data but doesn’t have any type of attestation like SOC 2, ISO 27001, PCI DSS, etc. While SOC 2 requires you to monitor your vendors, it doesn’t specify how.
The easiest way to monitor a vendor is by asking them for their SOC 2 report, document their review, and ensure that they have the appropriate controls in place to protect your data. If you have questions for the next Ask an Auditor series with Troy or our compliance team, send them marketing@drata.com, and be sure to sign up for next month’s episode.