Compliance 101

How SOC 2 Compliance Works: Audit Process

SOC 2 Audit Process

It’s the moment we’ve all been waiting for, furiously implementing controls and checking changes, training employees, and gathering evidence. The time to prove that implementing best practices has secured your business. It’s time for the SOC 2 audit.

In this series, we covered gap analysis and remediation plans, control implementation, and risk assessment. Each of these steps prepares your business for an audit.

While this series spoke about our own journey through SOC 2 compliance with Laika, we’re cognizant that we don’t serve every business seeking a SOC 2 (although we want to!). Below you will find a breakdown of the audit process that we experienced and walk through each week with our customers, and the audit process without Laika.

Now, let’s talk about the audit process.

Select an auditor

The AICPA created SOC 2 and only accountants or CPA firms affiliated with the AICPA can perform the audits. Because service organizations needing SOC 2 reports frequently store or transmit data through the cloud, you’ll need an accountant who knows their way around cloud technology environments.

If you tackled SOC 2 without Laika, it’s likely that you selected an auditor before starting the SOC 2 process. An auditor will be able to assess your current security, perform a brief gap analysis, and tell you which TSCs you’ll need to implement controls for.

Letter of engagement

Like any new software or consulting agreement, service organizations and auditors first need to dot their i’s and cross their t’s. This starts with a letter of engagement.

The letter includes formal language determining the time frame and scope of the audit and the TSC that will be examined by the auditor. The letter is signed by the audit firm and the service organization before kicking off the engagement.

Kicking off the audit

Following the engagement letter, the service organization and audit firm schedule a kickoff meeting to introduce the audit process and discuss the timeline in-depth. This can also include discussion of critical vendors and policies.

Deliver evidence of control implementation

As your business creates new processes and policies related to required controls, you’ll need to keep track of each. Once finished, download all the evidence and send it to the auditors.

To stay organized, we recommend gathering and storing all compliance documents in one place. This will make it easier to search and find the evidence needed for the audit. Prepare your team to be available to auditors at any time over the course of this process, which lasts about 4-8 weeks.

Fieldwork by the auditors starts with interviewing each key process owner for about half a day to understand how your compliance posture was designed. From there, process owners can expect at least another full day of explaining controls.

The amount of time spent introducing controls to auditors largely depends on how and why they were designed a certain way. This is the first foray into examining the quality of your security program.

Questions and requests

After receiving all your evidence, policies, and record of implementing best practices, auditors aggregate questions on your security posture. They may send a security questionnaire or a request list with 100-200 requests. These requests live in a spreadsheet, and teams send them back and forth to sort everything out.

You’ll need a few points of contact to communicate with auditors and keep the audit process running smoothly.

What auditors need:

  • A list of controls
  • Oversight to your systems and configurations
  • Screenshots of evidence

Respond to the auditor’s opinion

Management’s response is the fifth section in a SOC 2 report. If auditors identified exceptions, this is the service organization’s opportunity to explain why the exceptions were identified and how the service organization enhances the control and remediated the issue.

If no exceptions came up during the audit, you can skip this step!

For this part of the audit, you’ll need the experts who chose and implemented your SOC 2 framework to explain how your bespoke and secure compliance posture. Typically, management would write an in-depth response and email it via word doc to the auditors prior to the final report.

What auditors need:

  • Comprehensive and truthful response to any discrepancies in the SOC 2 controls

If the auditors found exceptions in your control environment during your audit, they’ll include those notes in their results of control tests. The audit team communicates these exceptions to the service organization prior to issuing a final report, and the management of the service organization has an opportunity to respond.

Receive a final report

Your audit firm should perform thorough quality assurance before issuing your report. Multiple auditors will review the tests and results, edit the report, and validate all information examined. This is an important step in the audit process! Be sure to ask your audit team about their quality assurance process before signing a letter of engagement.

Finally, the audit firm issues a final SOC 2 report! Because your team should be in constant communication with auditors, nothing in this report should come as a surprise.

What auditors need:

  • You’ve reached the end! At this point, you need to pay an invoice for their time and lock in a time frame for the next year’s audit.

Laika’s audit experience

Our own audit kickoff was streamlined for a couple of reasons: we had security and risk experts at the helm, and we used Laika’s platform. Not only did we customize our SOC 2 controls to our company’s needs, but our compliance architects also made sure that our security posture was ready for audit before we started the process. Having completed thousands of audits, Laika’s experts ensure every i is dotted and each t is crossed.

For businesses going through a SOC 2 audit without Laika, the kickoff process will be about a week of meetings and calls with your auditors.

With Laika, our compliance architects and customer success managers field all the questions and manage the process directly. Similarly, auditors access all compliance artifacts and configurations within Laika. The platform prevents a mess of spreadsheets and word docs to collect all the necessary information.

Our team is constantly meeting with auditors to understand the best way to collect and deliver quality evidence, anticipate and avoid auditor follow-up questions, and decrease the time to receive a completed report.

How long does the audit process take?

SOC 2 Type 1 audits with Laika take about 2-4 weeks, and Type 2 audits can last 6-8 weeks. If you choose to tackle the process on your own and/or select your own auditor, Type 1 audits last around 6 weeks, and Type 2 audits last about 12 weeks.

Why do SOC 2 audits take so long?!

This timeline depends on your auditor, your team, how you’ve designed and implemented controls, and the organization of security information. Because audits are a stodgy, manual process, they require a lot of “busy work.”

Your team may be tied up with auditors for the better part of 3 months. We understand that not every startup has an army of compliance experts to help move your business through an audit. This is why we built software and integrations for your team and our compliance architects take the reins.

Annual tasks

While many businesses look at an audit as the ultimate step on the SOC 2 journey, this will need to be performed annually to stay in compliance. Your information security posture will need to mature and grow as your business scales.

If you’re wondering how to decipher your final SOC 2 report, we already have you covered. Check out our post here.

Previous SOC 2 steps

ICYMI, we’ve outlined each step of the SOC 2 process in a series of blog posts. Below is a brief recap of each of the previous steps.

Gap Analysis

When you start your SOC 2 process, you’ll meet with a compliance architect. They identify your current security posture and the gaps that need to be addressed. From there, your compliance architect creates a strategic remediation plan to follow through with control implementation.

If you’re tackling a SOC 2 without Laika, you’ll most likely need to enlist the help of a CPA firm to perform a gap assessment. The auditors will be able to identify the controls you need to implement and standby until you have enough evidence collected to perform an audit.

Read more

Control Implementation

There are many different ways to meet SOC 2 requirements and fulfill your business’ chosen TSCs. Based on the maturity of your organization, a compliance architect can guide you through the most cost-effective and efficient ways to secure your information and services. This requires a lot of documentation and evidence gathering, which we executed directly in Laika’s platform.

Read more

Risk Assessment

Finally, when your implementation process is about 75% complete, a compliance expert will execute a risk assessment. Auditors ask for this document to understand your risk appetite and growth trajectory. Then they can determine if your data will be secure over a period of time.

Read more