Successfully Navigating SOC Reports – Top 10 Best Practices
If you have recently finished a SOC 1 or a SOC 2 Examination, you may be tempted to put a hold on thinking about your next annual audit. However, the truth is that the sooner you start planning, the smoother your next audit will go.
Below are ten best practices to consider as you prepare for future SOC Examinations.
1. Gather/maintain audit evidence in a repository in advance of the audit
Gather and organize required audit information according to the SOC criteria or control objective before the auditors arrive. This will enable you to simply drag-and-drop the files to the auditor quickly and easily during the assessment. Ensure that the evidence is clearly labeled and dated (full screen captures with Windows date/time stamp) so that the auditor can easily determine when it was collected.
Off-the-shelf Security Compliance Software (e.g., Drata, Hyperproof, Vanta, Secureframe, OneTrust) can automate the collection and organization of evidence, making it easier to ensure that all necessary information is included within the repository. For example, automated logging and monitoring tools can be used to collect and organize log data, while automated vulnerability scanning tools can be used to collect information on your network and application security. If your Security Compliance Software does not provide timestamps on systematic outputs, consider placing the evidence within Word or PDF files with timestamped headers.
2. Plan for your participation
Planning to save the required documentation is crucial for ensuring a successful SOC Examination – unfortunately if it is not documented the auditor can’t conclude it was done. For example, detailed, up-to-date policies and procedures should be in place for all in-scope controls, such as access controls, incident response, and data backups. Plan to perform your own testing and monitoring to identify potential vulnerabilities and weaknesses before the auditor does. Document and save the results of those activities and any remediation actions taken so the auditor has proof that they were carried out.
3. Take a fresh look at your Risk Assessment process
Make sure your annual risk assessment includes:
4. Manage leadership’s audit expectations
Auditors must report all testing exceptions in the SOC Report, even if minor, so most reports have reportable findings, and your report readers should not be surprised by findings. This might seem like a purely negative thing at first; however, reportable findings are not something to be afraid of. Reportable findings provide an opportunity for an organization to discuss remediations and demonstrate how they are improving the organization’s overall security posture.
5. Further automate access control processes
There are several ways you can streamline or automate your access control processes in preparation for a SOC Examination:
6. Be Efficient! Integrate SOC Reporting controls with everyday processes and other IT compliance controls
When preparing for a SOC Examination, seek to consolidate control processes:
7. When in Doubt: Ask your Friendly Auditor!
If you uncover a potential control issue during the year, ask your auditor’s opinion before they come in for the audit. Though the auditor’s role is to independently assess your controls, a good auditor is also there to provide guidance to improve controls. The ultimate responsibility for designing and implementing controls lies with your organization, but your auditor can be a great resource for more efficient and effective controls.
8. Communicate. Communicate. Communicate.
Clear and open communication channels with your SOC Auditor before, during, and after an audit are important for several reasons:
Consult with your auditor before making large technology changes. Significant changes to your infrastructure, new security technologies, or major changes to security policies and procedures will impact the audit. Advance discussion can yield feedback on how these changes may impact the assessment.
9. Right-size your audit scope
Ensure you’ve scoped your SOC Examination appropriately by following these steps:
10. Integrate and leverage the SOC Reporting process to enhance your Marketing Program
Publicizing you have undergone a SOC Examination can differentiate your company from competitors. A SOC Report can improve your reputation, build trust with customers, and improve your reputation in the marketplace.
By advertising the completion of a SOC Examination through press releases and other marketing materials, you can signal to potential customers that you take security seriously and can be trusted with sensitive information. A press release announcing the completion of a SOC Examination can highlight the rigorous nature of the audit, the controls that were evaluated (e.g., data encryption, access controls), and quote a company executive speaking to the importance of data security and the peace of mind the audit provides to customers.
Joseph Thorin (Associate Audit Manager, AARC-360)
Neil Gonsalves (Founder and CEO, AARC-360)
Bernie Wedge (Advisory Board Member, AARC-360)