(The following originally appeared as an article in Security Boulevard)
Choosing a SOC 2 auditor can seem like a panic-inducing process. How do you find one and what should you ask them? Will they understand your unique environment, product, and challenges? It is up to you to select the auditor that best understands your organization in both its current and future states. SOC 2 is a multiyear journey, so our best advice is to select an audit firm with people that you like and trust.
What Auditors Can and Can’t Do
It is important to establish boundaries surrounding what an auditor can and can’t do when providing SOC 2 audit services. Your auditor should be your partner along your journey. They can help you identify controls that you didn’t consider that you should also get credit for. They can suggest edits to your System Description, and help you refine the language of your controls. A great auditor will also provide post-audit recommendations and areas for future improvement.
Auditors are required to be ‘independent’ so that they meet the standards of their governing body (the AICPA). This way they can objectively opine on the System Description and the design and, in a Type 2, the effectiveness of your controls. The auditor can never perform a control, design a control, or tell you exactly what to do. Although a great auditor will have a way of dropping hints.
Questions to Ask
We have worked with many auditors and when you are in the Strike Graph family, we will refer you to a few that may be a good fit. We suggest you interview at least three auditors and ask them all the same questions. The following questions may be helpful in the selection process:
- What is your experience with a company of our size and security (Privacy, Confidentiality, Availability, Processing Integrity) maturity? What you are looking for is a firm that has experience auditing companies that are as close in size and level of IT security maturity as you. If you are a startup and still growing, and they have no experience, you may run into a scenario where they expect a world class IT security program that doesn’t make sense for where you are in your journey.
- What is your quality review process - how many layers of review do you have? The answer to this will impact the time it takes for the auditor to deliver your final SOC 2 report. You definitely want to partner with an auditor who is committed to quality, but you also want an auditor that is as efficient and nimble as you are. A final SOC 2 report delivered about six weeks after their field work may be OK for you, but maybe you need it quicker. Make sure you agree on a deliverable date that you’re comfortable with.
- Do you require at least one control for each ‘point of focus’? This one is tricky - some firms require at least one control per ‘point of focus’ while others are fine with adequate coverage for each principle. There is no requirement in the guidance that each point of focus must be mapped to at least one control. However, we highly recommend that for all of the ‘security’ specific criteria you do find a control for each point of focus. For the more 'operational' controls, we find that this 1-to-1 approach leads to unnecessary, busy-work controls that don’t provide any extra security or meaningful controls.
- Can you scale your standard audit approach? Can you dive right into the Type 1? Many auditors follow a systematic 3 part approach to their audits: Readiness Assessment, SOC 2 Type 1 (point in time), then SOC 2, Type 2 (over a period of time). The three-pronged approach can take anywhere from 6 months to a bit over a year. If you don't need a Readiness Assessment because you have worked with Strike Graph on your Pre-Audit tasks, or if you want to get a running start on your Type 2, make sure your auditor can scale their fees and adapt. This will be somewhat new to many of them.
- As an Audit deliverable, will you provide recommendations on how we can mature our security environment? This is especially important if you are a young company. An excellent auditor will meet with you after the audit to suggest areas for improvement, or processes and technologies to consider as your security program matures.
There are many other questions that you can ask, but at the end of the day remember that the firm will be with you for a few years. Make sure they understand where you are in your SOC 2 and compliance journey, that they won’t break the bank, and that you have a good rapport with them. Good Luck!