For any organization that stores, interprets and manages sensitive data, complying with cybersecurity requirements is of utmost importance. The most comprehensive way to test the strength and effectiveness of these systems is through a compliance assessment.
SOC 2 assessment applies to service organizations that handle data and provides an attestation that the controls in place to protect that data are secure. The core of the SOC 2 report is based upon the American Institute of Certified Public Accountants (AICPA)’s Trust Services Principles (TSC). These TSC on relevant controls in five categories:
- Processing integrity
Beginning this process, however, is no easy feat. There are several steps an organization should take to ensure their SOC 2 audit preparation procedures meet industry standards.
Top 10 Tips for Audit Preparation
Although compliance audits vary in how they’re performed and what they measure, there are a few common steps organizations can take during audit preparation to be ready for any and all action items they may require.
1. Stay up-to-date on standards.
New compliance standards may affect an organization’s audit. Staying up-to-date on changes made to compliance requirements can ensure that an organization’s data management and tracking is within the necessary parameters. Assessing personnel awareness and compliance with new guidelines is also key.
2. Review recent changes in organizational activity.
Did the organization start a new program or receive a new grant? Are there any new reporting requirements? Were any activities discontinued or were there any troubleshooting issues? Were there major changes to the internal control system? These activities — among others — may trigger reporting considerations that the auditor should be made aware of.
3. Create a timeline and delegate tasks.
Any audit will require careful, precise work and preparation from both inside and outside the organization. Review the list of work papers and schedules requested by the auditor. Each item should be assigned to a corresponding team member with a due date that allows adequate time for review and correction, if need be. The most difficult and time-consuming tasks should be addressed first and foremost. Financial statements should be available to the auditor on or before the first day of fieldwork.
4. Review prior audits (if applicable).
If the organization has partaken in audits previously, looking over previous data may give both the organization and auditors insight into areas that have or require improvement. Taking stock of prior audit adjustments, internal control recommendations or prior struggles can help identify past problem areas.
5. Organize data/gather evidence ahead of fieldwork.
Having a well-organized data system is key to interpreting the results of the audit in years to come. Creating subfolders for significant cycles or categories can help keep important and relevant information grouped together for easier access and understanding. Additionally, schedules and work papers containing sensitive or classified information may need to be password-protected or maintained in a restricted network location.
6. Review requests and ask questions.
Encouraging team members involved in the auditing process to ask questions is vital to its success. Auditors are generally happy to answer questions regarding the requests they’ve made, the information being assessed and other items of interest. Taking this step can help prevent easily-avoidable communication errors further into the audit, when mistakes may not be as easy to remedy.
7. Be available during fieldwork.
Key personnel will need to be on-hand during the audit and audit preparation. Non-critical meetings should be rescheduled or postponed to avoid adding undue stress and responsibilities to staff members’ plates. Auditors may require additional information — including supporting documents and explanations — throughout the fieldwork stage. Arranging brief status meetings or having the auditor provide an open items list can help keep communication open between all involved parties.
8. Evaluate results.
Open communication between organization members and auditors should be encouraged throughout the time between fieldwork and the issuance of the audit. If any items remain open at the end of fieldwork, both parties should establish agreed-upon dates for the information to be provided to the relevant participants. If there is any confusion regarding certain aspects of the audit, an organization may find hosting a post-audit closing meeting to be beneficial.
9. Identify the right audit partner.
Open communication between organization members and auditors should be encouraged throughout the time between fieldwork and the issuance of the audit. If any items remain open at the end of fieldwork, both parties should establish agreed-upon dates for the information to be provided to the relevant participants. If there is any confusion regarding certain aspects of the audit, an organization may find hosting a post-audit closing meeting to be beneficial. Any auditing organization a company considers should be formally qualified for whichever type of audit that is required. Many organizations will have multiple certifications, but it’s best to do thorough research before making a final decision.
10. Ensure your audit partner has the right qualities and they:
- Are licensed
- Undergo audits themselves
- Are properly staffed
- Respond within 24 hours
- Offer premium audit software
- Provide a comprehensive suite of services
The A-LIGN Difference
A-LIGN is a technology-enabled security and compliance partner trusted by more than 2,500 global organizations to help mitigate cybersecurity risks. A-LIGN uniquely delivers a single-provider approach as a HITRUST CSF Assessor firm, Qualified Security Assessor Company, accredited ISO 27001, ISO 27701 and ISO 22301 Certification Body, accredited FedRAMP 3PAO, accredited CMMC C3PAO and licensed CPA firm. Working with small businesses to global enterprises, A-LIGN experts and its proprietary compliance management platform, A-SCEND, are transforming the compliance experience.