Cristina’s Compliance Corner: SOC 2 Audits of Past, Present, & Future

Cristina's Compliance Corner

Auditors are the unsung heroes of the information security and compliance space. Day in and day out, they show up to work and provide a thorough, consistent, and extensive review of their customers’ controls. Furthermore, they have deep knowledge of the subject matter yet can explain with education and empathy when there is a failure. 

In an industry that has mostly remained unchanged since it was launched by ISACA (American Institute of Certified Public Accountants) in 2009, SOC 2 auditors have found a way to challenge the status quo. Sure, the controls would look the same, but was there a better way of testing those controls?

To highlight some of the industry’s finest, I invited Laika’s David Haviley and Vicky Pham to join on LinkedIn Live. During the episode, David and Vicky share their experiences from the field (both past and present)and provide their predictions for what the future of audits looks like.

David comes to Laika with more than ten years in the ‘Big Four’ world, and Vicky joins us with a strong consultancy background. Their unique perspectives and technology-driven mindsets have been key in differentiating the future of SOC 2. The opportunity to hear their feedback (and tips for success from the auditors themselves!) was incredibly valuable. Check out the recording below to watch the full episode and keep reading for highlights from the discussion.

Looking back: The ghost of SOC 2 audits past 

Once upon a time, auditors used to travel far and wide when assigned to customers for their SOC 2s. Everything was old school—there were paper files to be examined, server rooms under lock and key, and manual processes for signing visitors in and out. It felt a little bit like the wild wild west when it was just the standard way of doing things at the time. 

When it came to evaluating the scope of the controls, it was similar to how it’s done today. However, the limitations and inefficiencies were obvious:  

  • Disorganization was inevitable with paper documentation
  • Human error margins were significantly higher
  • Requiring an audit team to travel and examine on-site extended timelines significantly

Having been an auditor myself, I relished reliving the glory days when talking to David and Vicky. When you’ve been on the audit battleground, you can bond over shared experiences, success stories, and brutal pain points. But what we could all agree on, regardless of our war stories, was the improvement technology has had on the industry and how much further it could still take us.

Current state of a SOC2 world

Like many industries, COVID-19 swept through and changed how auditing was done. Significant changes were required to accommodate the inability to be on-site evaluating and testing control environments to continue moving forward with projects. Audit firms all over the country switched to video conferencing, online Sharepoint platforms, and a general re-imagination of how the controls operated in a changed environment.

COVID also had a significant impact on the way businesses, in general, functioned. The push to move to electronic databases and up-to-date software was no longer a nice-to-have but a need-to-have. Moving to a technology-first style of operation would need to be reflected in their SOC 2s as they began to process more and more data electronically. 

Auditors everywhere welcomed this advancement. The control objectives and overarching themes remained the same, but how they were evaluated and tested needed adaptation. Creativity, innovation, and technology had an opportunity to shine in an otherwise unchanged industry—welcome progress.

So what has changed since the past? Vicky and Dave talked about:

  • Automation of testing
  • Control efficiencies via technology
  • More rigorous evaluation of controls (no more hall passes!)

They both noted that the general sentiment is that technology has taken over and has no plans of stopping for the foreseeable future. And in fact, neither does the auditing community. David mentioned that auditors were quick to capitalize on this new technological development, understanding that long-term it would have incredible benefits for both customers and auditors alike as he saw improvements within his team. If this was just the tip of the iceberg for where this could go, he knew it was necessary to act quickly. The window into the future of compliance was looking bright with more transparency, efficiency, and technological advancement. 

The future of SOC 2 audits is here

The work done thus far in progressing the way audits are performed sets the foundation for immense change. We are already beginning to see it today, but the concept of “continuous compliance” will only become more prevalent in the industry. 

Vicky eloquently stated that she sees a world where automation takes over certain components of an audit, especially for those organizations operating in the cloud. She mentions the relevance and importance of integrations and monitors, especially having worked on them from the Thoropass (formerly Laika) product side. Some key pillars of the future of audits will include:

  • Steady streams of data used in the audit. These connections are for systems tested heavily during the audit process. This eliminates an initial step in the process, which requires the auditors to request the raw data in advance.
  • Continuous monitoring and compliance. With real-time notifications and updates on the integrations and monitors’ health, customers can better understand their technological controls. It also helps avoid any surprises come audit time since when one falls out of compliance, remediation is required, setting a customer up for success in the future.
  • Transparency and efficiency. It’s important to know what information you’ll need and how it is evaluated during audit. This can streamline the process for both the customer and the auditors. Customers already understand what systems are in scope and the health of the controls’ operational effectiveness because of the monitoring.

David couldn’t have agreed more with Vicky on the future of the audit process. He noted that these advancements would only continue to improve and ultimately benefit auditors and customers. 

He did caution, however, that while technology will be able to help with a significant amount of lift when it comes to going through an audit, this new age of “100% automation” will likely never be possible—at least not anytime soon. There will always be processes and controls that are operational and manual.

Less friction, more transparency

There certainly has been an increase in the popularity of the SOC 2 certification within recent years. From my point of view, this has everything to do with improving the overall process. Technology has given customers more control over how their business operates in a more controlled environment. They no longer walk into an audit blind (because there is now the option of transparency through end-to-end solutions. Ultimately, there are more tools available to be set up for success.

Auditors have also greatly benefitted. Gone are the days of identifying, organizing, and inventorying paper documentation into a binder. While they almost unanimously  recognize that some things are best done the old-school way, they acknowledge that the industry had to embrace technology  improve processes. It has created less friction on internal teams and streamlined auditing processes for faster reporting and more accurate, unbiased issues of opinions.

Happy auditors, happy customers, happy life.

Not all auditing firms and processes have switched to the most up-to-date capabilities. With Thoropass’s end-to-end solution, integrations and monitoring, and automated workflow audits, Thoropass makes staying within compliance as straightforward as possible. Speak to a member of our team today to learn more about Thoropass’s Security Audit Experience.

Share this post with your network: