As a compliance manager or IT admin that’s in charge of managing SOC 2 audits, it’s common to find yourself taking on the sole responsibility of your entire organization’s controls in an attempt to ensure consistency and compliance. However, this often creates unnecessary challenges when audits begin and is almost impossible to keep up with on top of your other day-to-day duties.
To avoid this, a major part of both of these roles needs to be focused on delegating responsibilities while building relationships and awareness with the assigned control owners. If your organization is struggling with a disconnect here, taking a step back and reassessing your SOC 2 audit framework is a good place to start; but ultimately, getting this balance and partnership established is one of the most effective ways to pass SOC 2 audits consistently.
So now that you are preparing for the inevitable SOC 2 audit, there are certain activities you can do to get ahead of these common challenges. Taking initiative and using a proactive approach will not only help you pass future SOC audits with flying colors, but it will also decrease your organization’s overhead and the amount of day-of stress that your team faces. A proactive approach regarding SOC 2 audits involves planning, delegation/ownership, internal audits, and control owner preparation.
This approach begins at the top of your organization and trickles down — management needs to set clear expectations for the entire team and assign control owners in order to avoid taking on all of the SOC responsibilities across the entire organization. From there, control owners need to fully embody their role and take complete ownership over their controls which involves internal auditing, consistency, rationalization, evidence storage, and communication.
Be Proactive, Not Reactive
By assigning controls to various key people across your organization, you can delegate different levels of responsibility to each. This is not only a relief to the compliance manager, but it also means that a closer eye can be kept on each control when they’re split between multiple people who can spend more time internally auditing them.
Being proactive rather than reactive will save your organization massive amounts of time and stress later on down the line by preventing failed audits and employee burnout. The best ways to be proactive as a member of management or the compliance manager are to assign controls to others and ensure that they’re set up in a way that allows them to take full ownership, build a positive and bidirectional relationship with each control leader, and schedule regular meetings with control leaders to discuss any issues that arise.
It can be difficult to get buy-in from assigned control leaders, as they already have full plates with their day-to-day responsibilities. During regular organizational planning, it’s important to prioritize initiatives and communicate to your team that SOC 2 compliance is high priority. On top of that, you may also need to help control owners adjust their priorities to take SOC into consideration and avoid overwhelming them with too many tasks.
Once priorities are set company-wide and workloads are as balanced as possible, relationship building and regular check-ins will prove to be essential to ensure complete ownership is taken over each control. It’s important to work with each control leader to make further workload adjustments, identify areas of control improvement, remind them of annual compliance commitments, and locate where their control evidence resides.
Aside from control owners, there are other essential positions that are part of a core SOC 2 team.
SOC 2 Team Positions
Keep in mind that you can build your SOC 2 team however you want, but assigning people to each of these positions on top of having control owners will help the entire process run more efficiently.
The other SOC 2 team positions we want to mention are:
- Executive Sponsor: This person needs to be able to explain why the organization is pursuing SOC 2, as well as why certain other initiatives across the company depend on a SOC 2 certification.
Example: This can be the compliance manager, an IT professional, or another member of management.
- Project Manager: This person will be the primary driver of the SOC 2 effort, which involves day-to-day activities such as gathering information and scheduling SOC 2 related tasks.
Example: This can be someone that is great at getting tasks completed efficiently — they do not need compliance expertise or to even know the ins and outs of SOC 2 compliance.
- Primary Author: This person will handle some technical writing during the SOC 2 process.
Example: This needs to be someone with some technical expertise that can take on some technical writing. This is typically someone in a senior role that has a deep understanding of the business itself and its operations.
- Legal: The legal team should be involved in your SOC 2 effort early on to provide guidance and edits to documentation.
- IT/Security: These teams will take on the brunt of the SOC 2 work, and they will feel the effects of any changes that come out of the process itself. Sometimes new employees will need to be hired to take on the additional responsibilities that stem from SOC 2, and sometimes existing employees will have to readjust to new technologies and tools that come into play.
- External Consultant: If you’re not very familiar with SOC 2, it might serve you to bring in an external consultant that’s well-versed in compliance initiatives. Startups pursuing SOC 2 often go this route.
Example: This is often a Certified Public Accountant (CPA) that has a wide range of compliance knowledge.
Another thing to keep in mind is that one person can take on multiple roles — this often happens organically due to their current position in the organization as well as their knowledge set.
Undertake an Internal SOC 2 Audit
Completing an internal audit is a great way to prepare yourself and your team for an external SOC 2 audit. Processes get easier after you’ve run through them at least once, and an internal audit gives your team a chance to close any gaps and make changes to controls before you’re all put on-the-spot.
A few benefits of conducting an internal audit are finding out where control evidence resides for later use, ensuring there are no inconsistencies between controls, and encouraging control owners to focus on processes rather than ambiguous control language.
An important thing to remember is that with SOC, you can always change controls to keep up with your organization’s changing reality. Nothing is set in stone, and controls should be monitored and adjusted as the organization’s processes and commitments change and expand over time.
Tips for Control Owners and Administrators
As a control owner, preparation for a SOC 2 audit is key to remaining sane when it comes time for the actual thing.
Have a Method to Your Madness
Be able to explain to an auditor why you chose the controls and processes that you did — these are what you’re held accountable for and they need to be logical. Consider leveraging other defined standards such as PCI or GDPR to help you explain the ‘why’ behind your choice of best practices, protocols, processes, etc. Though you won’t be held responsible for adhering to any external standards, using them to back up your argument will prove valuable.
Impose Consistent Controls
Controls don’t count if they aren’t being used — any controls you choose to use need to be active. Automation is key for keeping consistency within your controls without having to reinvent the wheel — a great example of this is zero-touch onboarding. Automation is great for repetitive, standardized tasks such as onboarding, offboarding, and any other regular tasks you deal with. If you can’t automate, this is where checklists and documentation proving that you followed the checklist become indispensable.
On top of that, test cases are picked at random during a SOC 2 audit, so consistency will make collecting evidence much easier.
Leave a Trail
Leaving a documented trail of evidence proves that you’re adhering to the processes you outlined. Examples of this can be in the form of checklists with signatures, categorized helpdesk tickets, Slack channels, and email threads. Any time a change happens to a mission-critical system, ensure that it’s documented in the same place in the same format to achieve consistency.
Document Processes and Exceptions
As part of your paper trail, establishing and defining your processes and exceptions will serve you well during a SOC 2 audit. When putting out a new control, there will always be exceptions that need to be documented — it’s very rare that you’re able to have 100% coverage across a single control 100% of the time. However, keep exceptions as minimal as possible — monitor processes over time and remove exceptions whenever you can to reduce system vulnerability.
In terms of change management, it’s important for employees and auditors to be able to reference documentation that details what the change was, why it happened, how it was handled, and who was involved.
Communicate Regularly and Clearly
As a control owner, it’s important to have regular communication with the audit and compliance managers. Loop them in when any new software or systems that involve sensitive data are implemented to ensure the rollout is smooth and adheres to best practices. Clear communication between all parties better guarantees consistency in evidence formatting, confirms control responsibility and ownership, and allows any overlap between control owners across teams to be distinctly laid out in front of all stakeholders to ensure clarity and compliance.
This communication tells management, control owners, and external auditors who the point-person is for each control so they know who to contact for evidence or more insight into a topic.
Understand That it Gets Easier Over Time
Audits are a lot of work, but the more audits you go through, the more streamlined the process becomes. If multiple audits are performed in the same period, it’s likely that some evidence will cover both of them adequately.
Ex. JumpCloud completed a SOC 2 Type 2 and accounting/finance audit in succession, and everything in the accounting and finance audit had already been covered in the evidence from the SOC 2 audit. This meant all we had to do was some copying and pasting rather than starting from scratch and taking more time away from other important tasks.
Benefits of Preparing for a SOC 2 Audit
Whether you’re part of the management team, a compliance expert, an audit manager, or a control owner, preparing for a SOC 2 audit is more than worth it in the end. Putting in the work up front is ideal so you’re not scrambling to explain yourself or providing inconsistent/nonexistent evidence during an unexpected audit.
If you were to fail an audit due to retroactively attempting to take the steps outlined here, customers would quickly lose faith in you, resulting in negative publicity and a poor brand image. On top of that, employee burnout is much more likely to happen during an audit when preparations were slim to none and your team is now stressed and disorganized.
Learn more about how JumpCloud can help you pursue SOC 2 compliance and try it for free for up to 10 users and 10 devices.