Successfully Navigating SOC Reports – Top 10 Best Practices
If you have recently finished a SOC 1 or a SOC 2 Examination, you may be tempted to put a hold on thinking about your next annual audit. However, the truth is that the sooner you start planning, the smoother your next audit will go.
Below are ten best practices to consider as you prepare for future SOC Examinations.
1. Gather/maintain audit evidence in a repository in advance of the audit
Gather and organize required audit information according to the SOC criteria or control objective before the auditors arrive. This will enable you to simply drag-and-drop the files to the auditor quickly and easily during the assessment. Ensure that the evidence is clearly labeled and dated (full screen captures with Windows date/time stamp) so that the auditor can easily determine when it was collected.
Off-the-shelf Security Compliance Software (e.g., Drata, Hyperproof, Vanta, Secureframe, OneTrust) can automate the collection and organization of evidence, making it easier to ensure that all necessary information is included within the repository. For example, automated logging and monitoring tools can be used to collect and organize log data, while automated vulnerability scanning tools can be used to collect information on your network and application security. If your Security Compliance Software does not provide timestamps on systematic outputs, consider placing the evidence within Word or PDF files with timestamped headers.
2. Plan for your participation
Planning to save the required documentation is crucial for ensuring a successful SOC Examination – unfortunately if it is not documented the auditor can’t conclude it was done. For example, detailed, up-to-date policies and procedures should be in place for all in-scope controls, such as access controls, incident response, and data backups. Plan to perform your own testing and monitoring to identify potential vulnerabilities and weaknesses before the auditor does. Document and save the results of those activities and any remediation actions taken so the auditor has proof that they were carried out.
3. Take a fresh look at your Risk Assessment process
Make sure your annual risk assessment includes:
- Significant changes to infrastructure and operations,
- New/elevated security threats,
- Fraud risks, and
- Regulatory requirement changes.
4. Manage leadership’s audit expectations
Auditors must report all testing exceptions in the SOC Report, even if minor, so most reports have reportable findings, and your report readers should not be surprised by findings. This might seem like a purely negative thing at first; however, reportable findings are not something to be afraid of. Reportable findings provide an opportunity for an organization to discuss remediations and demonstrate how they are improving the organization’s overall security posture.
5. Further automate access control processes
There are several ways you can streamline or automate your access control processes in preparation for a SOC Examination:
- Identity and Access Management (IAM) Software: An IAM solution could automate provisioning and de-provisioning user access. This can help to ensure higher audit compliance with access controls that are part of every SOC Examination.
- Automating User Access Reviews (UAR): UARs are part of most SOC Examinations. Applying automation to access list gathering and manager attestation will make it easier to have no UAR audit findings.
6. Be Efficient! Integrate SOC Reporting controls with everyday processes and other IT compliance controls
When preparing for a SOC Examination, seek to consolidate control processes:
- Security Compliance Software: Implementing Security Compliance Software can help to consolidate control processes and provide a centralized platform for managing and monitoring security controls. Security Compliance Software can often be integrated into SOC Reporting controls with everyday processes and other IT compliance controls, providing a holistic view of your security posture while also collecting and preparing evidence of control operation.
- Incident Response and Business Continuity Planning: Consolidating incident response and business continuity planning can provide one framework for responding to incidents, ranging from false alarms to natural disasters. Consolidating multiple, disparate plans into a single plan with multiple levels of escalation or implementation can reduce the documentation requirements of an organization.
- Meeting agendas: Management governance provides evidence of proper control oversight. Adding agenda items to recurring management calls to document control compliance allows the auditor to obtain required evidence. Easy examples are security control effectiveness reviews, change management approvals, and risk management decisions If there were no issues to discuss on a recurring meeting, at least have an item stating that the subject was reviewed and nothing new was noted to suffice documentation requirements.
7. When in Doubt: Ask your Friendly Auditor!
If you uncover a potential control issue during the year, ask your auditor’s opinion before they come in for the audit. Though the auditor’s role is to independently assess your controls, a good auditor is also there to provide guidance to improve controls. The ultimate responsibility for designing and implementing controls lies with your organization, but your auditor can be a great resource for more efficient and effective controls.
8. Communicate. Communicate. Communicate.
Clear and open communication channels with your SOC Auditor before, during, and after an audit are important for several reasons:
- Thorough communication can help ensure that the auditor has a clear understanding of your controls and processes to help minimize the risk of misunderstandings and ensure that the auditor is able to provide an accurate assessment of the organization's controls.
- Timely communication ensures the auditor is aware of any issues or concerns you may have about your controls or the assessment process to avoid any last-minute surprises.
Consult with your auditor before making large technology changes. Significant changes to your infrastructure, new security technologies, or major changes to security policies and procedures will impact the audit. Advance discussion can yield feedback on how these changes may impact the assessment.
9. Right-size your audit scope
Ensure you’ve scoped your SOC Examination appropriately by following these steps:
- Select the right Control Objectives for a SOC 1 and the right Trust Services Categories for a SOC 2: Based on your business and the clients you serve make sure you identify the right scope. For example if you do not regularly access customer’s Personally Identifiable Information (PII), Privacy may not be applicable to the scope of your SOC 2 Examination.
- Identify Systems, Applications and Tools that are in scope: Identify systems, applications, and tools that are used to deliver the services that are being audited (The AARC-360 “Information Request List”(IRL) provides a “Tech Summary” sheet to help with this). Simply ask yourself, “What will my customers expect to see in this report?” The answer should include only the systems, applications, and tools that are used to process, store, or transmit sensitive data in providing your services.
- Identify Third-Party Systems and Services: Third-party sub-servicers include vendors of systems, applications, and tools critical to the processes and systems under audit. Though these vendor systems may not be directly assessed by the auditor, the responsibility of understanding them and their effect on the in-scope system rests upon you as the user of those sub-services. Whether a vendor is in-scope or not will depend on the services that you provide and the type of data that is being processed, stored, or transmitted. For example, a company that provides cloud storage services will have a different scope than a company that uses cloud storage services.
10. Integrate and leverage the SOC Reporting process to enhance your Marketing Program
Publicizing you have undergone a SOC Examination can differentiate your company from competitors. A SOC Report can improve your reputation, build trust with customers, and improve your reputation in the marketplace.
By advertising the completion of a SOC Examination through press releases and other marketing materials, you can signal to potential customers that you take security seriously and can be trusted with sensitive information. A press release announcing the completion of a SOC Examination can highlight the rigorous nature of the audit, the controls that were evaluated (e.g., data encryption, access controls), and quote a company executive speaking to the importance of data security and the peace of mind the audit provides to customers.
Joseph Thorin (Associate Audit Manager, AARC-360)
Neil Gonsalves (Founder and CEO, AARC-360)
Bernie Wedge (Advisory Board Member, AARC-360)
