Is the Auditor’s Role in a SOC 2 Audit Just to Find Gaps in Our System?

Originally published by MJD.

Written by Chris Giles, CPA, Senior Manager, MJD.

Q: Is the auditor’s role in a SOC 2® audit just to find gaps in our system?

A: MJD Answer

The auditor’s role in a SOC 2 audit is to provide an opinion on the design and operating effectiveness of the controls related to the trust services criteria that you have determined are relevant to meeting commitments made to your customers. During the audit process, we might identify gaps or control exceptions, but our role encompasses much more than that.

It’s important to first understand the role you (the service organization) have in the audit. Let’s use the analogy of securing a storage facility to help you understand the auditor’s role in the SOC 2 audit. In this example, you, the service organization, is responsible for determining how to secure the facility to ensure customers’ belongings are safe. You determine that you want all storage units behind a locked gate that requires a key code for entry, and each storage unit separately secured with a unique lock pad. You’ve told your customers that you will ensure the main gate remains locked at all times, and each storage unit behind the gate is locked to secure their belongings safely.

To test the design of your controls, the auditor will show up to inspect your facility (or in today’s world, schedule a Zoom meeting). They will ensure the main gate is locked when they show up and that a key code is required to enter. They will also look at an individual storage unit to ensure it is secured with a unique lock pad. If all goes well, they’ll determine your controls are designed appropriately. However, to truly limit the likelihood of theft of your customers' belongings, you need to operate the controls over a period of time consistently. To test the operating effectiveness of your controls, the auditor will show up at your facility randomly over a period of time (in reality, they will call you over Zoom) and make sure the main gate is locked and does not open without entering a key code. They’ll also go around to random individual storage units (as opposed to just looking at one) and make sure the unit is locked.

At the end of this process, the auditor will provide a report with their opinion on whether your controls were designed effectively and operated effectively. If the auditor identified the main gate opened without a key code, they would identify a design deficiency/gap. If they identified the main gate required a key code to enter, but two of the five individual storage units were left unlocked, they would identify an operating effectiveness deficiency/gap.

If the auditor take a collaborative approach, they'd provide you with some recommendations and best practices on how to address and remediate those gaps, but it would be your responsibility to remediate them. If their testing revealed the main gate and randomly sampled individual storage units were appropriately locked, you’d receive a report without any identified gaps. Then you can share your report with customers and prospects to demonstrate you’re meeting your commitments to secure their belongings.

‍

ChatGPT Answer

No, the auditor's role in a SOC 2 report is not to find gaps in a system, but rather to perform an independent evaluation of the system's controls and provide an opinion on the effectiveness of those controls in achieving the relevant Trust Services Criteria (TSC).

The TSC are a set of criteria defined by the American Institute of Certified Public Accountants (AICPA) that cover security, availability, processing integrity, confidentiality, and privacy. The auditor's job is to evaluate whether the controls implemented by the service organization are designed and operating effectively to meet these criteria.

While the auditor may identify gaps or weaknesses in the system's controls during their evaluation, their primary objective is to provide an opinion on the effectiveness of the controls in place, rather than simply identifying gaps. If significant gaps or weaknesses are identified, the auditor will typically report those findings to management and may make recommendations for improvement.