Let’s be honest, no one likes being audited for the first time. There are big unknowns. You think your organization is appropriately secured, but you’ve never had an independent third party assess the security of your organization. Did you think of everything? Probably not, but there are many ways to get ahead of the game when it comes to passing a first time audit.
What can you do to minimize the fear and successfully complete your first SOC 1 (formerly SSAE 16) or SOC 2 audit?
First, choose the right scope for your audit. Work with a SOC audit firm to select the appropriate control objectives for your SOC 1 or the appropriate Trust Service Principles and Criteria for the SOC 2. These choices will help define the scope of your SOC audit report. You can help identify the appropriate scope by asking yourself a few questions. What are the services you provide? What are the risks or threats to those services? Do you transmit sensitive data such as electronic protected health information or credit card account numbers? If so, loss of that information may be your greatest risk. Once you identify the greatest risks to your organization, you will need to obtain an audit report that answers to your stakeholders how you have mitigated the identified risks to the services you are providing. Select the control objectives (SOC 1) or the Trust Service Principles (SOC 2) that answer the right questions for your clients and user organizations.
Second, pick an audit firm you can trust. You should select a firm with auditors that have appropriate skills and expertise. SOC audits must be performed by a Certified Public Accounting (CPA) firm that specializes in IT auditing. You don’t want to select a bookkeeping CPA firm with auditors that are not trained in how to audit IT systems. As with many fields, there are many types of accountants and auditors and you need to be sure to hire the right fit for the job. Ask how many SOC reports the prospective firm has completed in the past to get a sense of their expertise.
Third, work with your audit firm to develop a risk and control matrix that identifies the risks to your organization and helps determine whether there are appropriate controls in place to mitigate the identified risks. This is a great exercise that lets you know where you stand with regard to controlling your organization’s risk and mitigating it to an acceptable level.
Fourth, after you have determined the scope and controls to be included in the audit, ask your firm for an initial request list of items you can prepare to help the audit be completed as efficiently as possible. Then, prepare as many of the requested items well in advance of the audit. Discuss the requests with your auditor so you understand exactly what they are looking for ahead of time. Then prepare. The best way to efficiently complete an audit is to prepare any audit requests that are made in a timely manner and get the auditor what they need to complete their work. When you do that successfully, you use the on-site fieldwork time with your auditor to answer any questions they may have on the evidence you compiled ahead of time. Dragging your feet on requests or taking a long time to respond to questions from your auditor does not allow them to complete their work more efficiently or get them to leave any sooner.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.