Third Party Reporting
SOC 2 Checklists
October 14, 2020 • Michelle Bazzy
SOC 2 (System and Organization Controls) reports are becoming a prerequisite for competing in the marketplace. Most companies struggle to meet the SOC 2 compliance requirements, purchase templates that fall short during an audit, or hire firms that force them into predetermined best practices. RISCPoint understands these pain points and have put together this SOC 2 compliance checklist to help your organization succeed with its compliance initiative.
Determine what Trust Services Criteria are applicable to your services
Selecting the appropriate Trust Services Criteria (TSC) for your organization can be a daunting task, however there are a few easy steps that can be used to make sure you’re selecting the appropriate TSC’s for your report. All organizations are required to complete the Common Criteria for Security as a component of the SOC 2 assessment and may choose to include additional TSC’s to be assessed against. In order to determine whether any additional criteria should be included within the scope of the assessment, you should do the following:
Work with your customer base to determine if any of the additional TSC’s are important to them Consider the industry that you operate within and any unique attributes that may implicate additional Trust Services Criteria. To help provide some context, we have included a few examples for each Criterion below:
- Common Criteria/Security - Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives.
- Availability – This criterion is usually selected when it is important to demonstrate that your organization has implemented appropriate controls to ensure that systems are available for operation.
- Confidentiality – This criterion is typically assessed if your organization is the custodian of data provided by another organization, whether through contractual or regulatory obligations, and you will need to verify that your organization has the ability to ensure the confidentiality of that data from collection through final disposition.
- Processing Integrity - This criterion is typically included if your organization performs transaction-based activities and is responsible for ensuring the completeness, accuracy, and timeliness of system processing.
- Privacy – This criterion is typically included for organizations who collect or process “personal data” as a component of the services offered. If your organization is collecting personal data then your organization may have an obligation to validate the information is collected, used, retained, disclosed, and disposed of properly.
Determine the Type of Report Required
Determining the Type of SOC 2 report that is right for your organization depends heavily on the motivation for becoming SOC 2 compliant.
To better understand which Type is right for your organization, you need to first determine if the SOC 2 is being performed to satisfy any requirements or client requests, if not it will heavily depend on how quickly you want to receive the report to share with your existing client base and demonstrate to prospective clients the maturity of the existing control environment.
Type 1 is intended to validate the “design” of the controls within your environment as of a point in time. This will typically be the first step in your compliance journey to validate that you have implemented appropriately designed controls to meet the SOC 2 Trust Services Criteria,
Type 2 is intended to validate the “operational effectiveness” of the controls within your environment over a period of time. This will typically be performed after the successful completion of a Type 1 report to validate the operational effectiveness of your compliance program over a period of time.
Budgeting and Planning for the Audit
When budgeting for a SOC 2 audit there are many factors that can considerably change the cost of the audit depending on the size and complexity of your environment. The piece that is often neglected is that this only represents the cost of the audit itself and there are other factors to consider:
- The overall cost of your internal resources utilized to support the SOC compliance environment
- The lost revenue from your operational resources working on implementing your compliance environment
- Ongoing costs of compliance due to the annual maintenance of the compliance environment
- Additional Full Time Employees to support the compliance environment
- Technology costs to implement appropriate tools to support the compliance environment
- The cost of repeating the audit from not getting it right the first time.
When you begin to factor in all of these costs you can see that it can really begin to add up.This is why it is critical to ensure that the compliance environment is built in a manner that is unique to your organization, is scalable as you grow, and that the audit is completed successfully the first time around.
Through our experience in implementing and managing SOC 2 compliance environments, we have identified some common pitfalls that many first-time organizations succumb to, including:
- Not having sufficient understanding of the SOC 2 compliance processes
- Purchasing “template” policies and inserting your organizations name
- Inexperience working directly with audit firms
- Relying on “automated compliance” tools with guarantees of passing an engagement for a subscription fee
Keys to Success
RISCPoint has significant experience in aiding companies the implementation, audit facilitation, and on-going maintenance of the compliance environment. Through our experience, we have identified a few keys to the successful completion of your SOC 2 assessment:
- Conduct an internal assessment of the controls within your environment against the applicable Trust Services Criteria to identify potential gaps in compliance
- Hire an industry expert to navigate your organization through the preparation for and the facilitation of the audit.
RISCPoint revolutionizes the cybersecurity and compliance world by applying a proprietary and innovative approach delivered by experienced professionals. Rather than just meeting the SOC 2 requirements, our consultants help you optimize your processes and gain value while minimizing the burden of compliance. We aim to help you meet the relevant standards while providing a painless audit experience.