Traditionally, the SOC 2 audit was used as a sign of growth in the service industry. Successfully going through the audit opened the door for big clients since it was viewed as a signature for the firm’s ability to deliver unmatched services. However, things have changed and there is increased awareness of cybersecurity. The SOC 2 audit has incorporated measures to ensure the security controls of all the client’s data. As such, it has become almost impossible to transact business before passing the audit.
For small firms, it is difficult to set the scope and security controls required by the SOC 2 audit. If the scope is too narrow, the business might lose the confidence of the customers which will lead to more audits. On the other hand, if it is too broad, it will be overly costly for the firms and will waste lots of time trying to meet the audit requirements.
As such, it is important that you strike a balance to ensure that your scope is adequate to fulfill all the security controls required for SOC 2 audit. You should perform a thorough analysis to know what the auditors expect when the process starts. Most importantly, you need to have a strong assurance for your client’s security. During the audits, the auditors will perform two types of SOC audits; type 1 will confirm that your service organizations are correctly designed while type II confirms that these controls work well within the set period.
Once the systems are correctly organized to work within a given period, you’ll need to find the Trust Service Principles (TSPs) which will be the initial yet crucial step of facilitating the SOC 2 audit.
How to Find Your TSPs
There are five principles that SOC 2 considers when confirming the vendor’s security controls and financial reporting. The principles established by AICPA include:
- Security. Your system must be safe against unauthorized use or modification
- Processing Integrity. The system processing should be complete, error-free, timely, valid, and authorized.
- Availability. The system should be available for all operations necessary to meet the commitments of the firm as well as the systems requirements.
- Confidentiality. If the information is confidential, the system should protect it from unauthorized access.
- Privacy. That all the personal information is gathered, used, disclosed, and disposed of based on the firm’s commitments as well as system requirements.
However, you should realize that not every SOC 2 auditor is obliged to follow the five principles. Instead, the audits may be meant for specific clients with specific needs that they require your business entity to address. As such, determining the TSPs that will augur well with your client’s security will help you in deciding the scope for SOC 2 audit. To avoid a scope that’s too wide, ensure that you include only the necessary TSPs. For example, only when you store personal data about clients that you must include the Privacy Principle.
Why Principles Matter
The process of establishing the relevant TSPs to include on your scope is crucial since you’ll need to next determine the systems, procedures, and policies that will support the principles to ensure organized internal control. These TSPs will be evaluated by SOC 2 auditors since the auditing process is designed to check multiple TSPs that control your firm’s security systems and controls.
The principles you choose has the potential to either destroy or build your relationship with clients. When selecting, you should always ask yourself the benefits that that specific principle will bring to your business as well as your customers. If it has numerous advantages, then the principle has to be included in the scope. If it adds no value to your firm, then leave it out.
At this stage, you should always work with top executives to help you define your services, products, and your strategy candidly. You should consider the target clients, their desires, the services offered by your firm, and the possible future services that you’ll introduce in your firm. The compliance and audit top executives must be incorporated in the management of the firm to seek and establish the answers to these questions which will further aid in determining your SOC 2 audit scope.
Before going into the Type II audit which is more intrusive, it is advisable that you start with the Type 1 which will help you to build on the easier principles such as availability before engaging in the complex ones such as processing integrity. This will give you confidence in your preparedness to handle the audit correctly and pass the test. As such, it is paramount that you recruit a SOC 2 advisory firm to guide you through the process and ensure that all your systems provide security and integrity to enhance your relationship with clients.
Having good answers to all these questions will determine how well your business performs and you should never compromise on it.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.