Blog Compliance SOC 2 audit Reddit AMA: Most upvoted questions and answers April 27, 2023 Thoropass Team As cybersecurity concerns continue to grow in our increasingly digital world, businesses are constantly looking for ways to safeguard their data and protect their systems from potential threats. One widely recognized standard for evaluating service organizations’ security and privacy controls is the Service Organization Control 2 (SOC 2) audit. A SOC 2 audit is a comprehensive assessment of a service organization’s security, availability, processing integrity, confidentiality, and privacy controls, conducted by an independent auditor. The audit evaluates whether the organization’s controls meet the criteria outlined in the Trust Services Criteria (TSC) established by the American Institute of Certified Public Accountants (AICPA). Recently, experienced Thoropass (formerly Laika) SOC 2 auditors hosted an “Ask Me Anything” (AMA) session on the r/cybersecurity subreddit, providing valuable insights and answering questions from the community. Meet the experts Vicky and David have led hundreds of successful SOC 2 audits and are excited to share their insights on how to minimize unnecessary friction throughout the audit process. Meet the experts: Vicky Pham is an auditor (previously IT risk consultant) with experience in compliance frameworks such as NIST 800-53, FISCAM, and SOC 2. From federal regulatory agencies to startups, audits, or implementation, Vicky has supported client compliance journeys at various stages. David Haviley has over ten years of audit experience with a focus on SOC 1 and SOC 2 assessments. David has also been heavily involved in process automation and risk management for startups as well as Fortune 500 companies. SOC 2 audits aren’t known for being quick and easy… but there is a right way and a wrong way to approach them. Vicky and David addressed many questions and concerns during the lively AMA (there were 162 comments total!) Before we dive into the discussion highlights, let’s cover some basics. Who needs an IT SOC 2 audit? Service organizations that handle sensitive customer data, such as data centers, cloud service providers, and software-as-a-service (SaaS) providers, often undergo SOC 2 audits to demonstrate their commitment to security and privacy best practices. Additionally, businesses that contract with service organizations may request a SOC 2 report to assess the security posture of their vendors. What are the key components of an IT SOC 2 audit? The key components of an IT SOC 2 audit are the trust services criteria, which include security, availability, processing integrity, confidentiality, and privacy. These criteria serve as the foundation for evaluating the effectiveness of the organization’s controls in safeguarding customer data and ensuring the availability and integrity of their systems. To learn more about the SOC 2 framework you can check out our previous Reddit AMA. Recommended for you SOC2 Reddit AMA: Most upvoted questions and answers SOC2 Reddit AMA: Most Upvoted Questions and Answers icon-arrow-long More upvoted questions about SOC 2 audits The AMA thread garnered a whopping 162 comments. There was a steady stream of curious community members asking some thought-provoking questions. Let’s dive into the most popular ones. Question: What’s the biggest misstep you see when organizations scope a SOC 2? Answer: The biggest misstep is typically not narrowing the focus to the people, processes, and technologies that directly impact the services being provided. As a result, companies sometimes fail to implement controls on the correct systems or too many systems, which increases their overall internal cost of compliance. In general, it is more common to see a scope that is too tight (ie. controls only deployed within 2 of 5 critical production systems) rather than throwing everything in given the overall cost associated with over-controlling an environment. Question: During a SOC 2 Type 2 audit, is it common for companies to provide cookie-cutter evidence when requested to walk through a control? Do you often ask for more evidence, and if so, why? Answer: It is ultimately up to the auditor to use their professional judgment on whether cookie-cut evidence is sufficient. In many cases, it can be fine; however, there are instances where you could attempt to use such evidence, and it becomes clear that the evidence is possibly not representative of the actual process. In such an instance, additional evidence may be requested by an auditor to corroborate the design/operation of a control. One common challenge during an IT SOC 2 audit is ensuring that all controls are properly documented and implemented. Organizations may struggle with identifying and remediating control gaps or deficiencies and providing sufficient evidence of their control effectiveness. Establishing a strong control framework and maintaining accurate documentation throughout the year is important to streamline the audit process. Question: What is the typical time investment to go through an audit? Answer: The approach can vary by audit firm and the type of audit (ie. Type 1 vs Type 2). At Thoropass, we typically host a virtual kick-off and communicate subsequent follow-ups via an audit application. Depending on the scope/complexity/type of audit, the audit could take a few days to over a month. Some firms elect to conduct on-site visits throughout the duration of the audit. However, such visits typically occur a maximum of 2 times throughout the annual report period to capture interim and update period results. Question: What are the benefits of achieving IT SOC 2 compliance? Answer: Achieving IT SOC 2 compliance can provide several benefits to service organizations, including enhanced trust and credibility with customers, improved security and privacy practices, and a competitive advantage in the market. SOC 2 compliance can also help organizations meet regulatory requirements and contractual obligations and demonstrate their commitment to protecting customer data. Question: What should organizations do to prepare for a SOC 2 audit? Answer: To prepare for an IT SOC 2 audit, organizations should conduct a thorough risk assessment to identify potential control gaps and deficiencies. They should then develop and implement appropriate controls to address these risks and ensure that these controls are documented and tested regularly. Engaging with an experienced auditor who can provide guidance and support throughout the audit process is also important. You’re ready to go for SOC 2, what’s next? A SOC 2 audit is a critical assessment for service organizations that handle sensitive customer data. By understanding the key components, challenges, and benefits of IT SOC 2 compliance, organizations can better prepare for the audit and demonstrate their commitment to safeguarding customer data and protecting their systems from potential cyber threats. Partnering with a service like Thoropass, ensures you’re well prepared Get the SOC 2 Guide Interested in learning more about SOC 2? Download the guide to dive deeper into the world of SOC 2 and how it can benefit your organization. Get the Guide icon-arrow Share this post with your network: Facebook Twitter LinkedIn