Who Performs a SOC 2 Audit? The Role of SOC 2 Auditors vs. Compliance Software
Blog Article Published: 08/12/2022
Originally published by A-LIGN here.
Written by Stephanie Oyler, Vice President of Attestation Services, A-LIGN.
Data breaches and ransomware attacks continue to dominate the news cycle. To protect data, and position themselves favorably among prospects and customers, companies need to demonstrate a commitment to cybersecurity.
Enter, SOC 2 (Service Organization Control 2), a popular audit that attests to a company’s ability to protect data and information. It’s a strong validator for any company looking to demonstrate its commitment to cybersecurity to partners and customers.
Pursuing a SOC 2 audit is a multi-step process, which can seem confusing at first glance given the fact that there are vendors that provide compliance software, and other vendors who are themselves certified SOC 2 auditors.
This blog will clarify the SOC 2 audit process, as well as explain the role of SOC 2 auditors and compliance software.
When and How to Use SOC 2 Software Tools
There are multiple steps to completing a SOC 2 audit. Many companies start with a readiness/gap assessment, which is the process of reviewing existing controls in place and identifying those that need to be improved or implemented. This process can be executed via an audit consultant, or through specialized software tools that help simplify this process (like A-SCEND).
Compliance software tools typically provide automated workflows and compliance templates, comparing your existing controls against the controls within a selected compliance framework — which, in this case, would be the SOC 2 framework.
Typically, this software allows you to visualize progress toward compliance goals, assign tasks related to evidence collection or policy updates, and collaborate all in one dashboard. Software tools provide a simple way to understand the framework requirements, assess them against your existing policies and procedures, and manage the process of updating policies. While these tools help to better prepare for an audit and streamline the assessment process, an experienced auditor is still a critical component of compliance.
When and How to Use SOC 2 Auditors
Software tools can only take you so far with SOC 2. They can help prepare a company for a SOC 2 audit, but not complete the audit itself. When the actual audit takes place, companies must turn to a SOC auditor.
SOC 2 audits are regulated by the American Institute of Certified Public Accountants (AICPA) and must be completed by an external auditor from a licensed CPA firm. This is the only way a company can receive an official SOC 2 report, whether it’s a Type 1 or Type 2 report.
An official SOC 2 report is valid for one year following the date the report was issued. Future annual audits must also be completed by an external auditor from a licensed CPA firm.
Working with SOC 2 Service Providers
If your organization plans to use software to prepare for an audit, it’s helpful to work with a software partner who can also conduct the official audit (as a certified CPA) because it provides an added layer of convenience throughout the SOC 2 process and results in a reputable report.
Organizations need to go beyond the data collection by their compliance software tool and conduct further due diligence, such as observations and walkthroughs (conversations) between the audit team and the client. SOC 2 auditors may also find that they need additional data or evidence necessary to validate the design and operating effectiveness of a complete control set. When you use the same company for a technology-enabled audit, and a SOC 2 report, the software is designed to request all audit materials needed, including manually operated controls and supporting evidence. In this convenient scenario, you can save time, resources, and money.
About the Author
Stephanie Oyler is the Vice President of Attestation Services at A-LIGN focused on overseeing a variation of many assessments within the SOC practice. Stephanie’s responsibilities include managing key service delivery leadership teams, maintaining auditing standards and methodologies, and analyzing business unit metrics. Stephanie has spent several years at A-LIGN in service delivery roles from auditing and managing client engagements to overseeing audit teams and providing quality reviews of reports. Prior to joining A-LIGN, Stephanie worked for CBIZ, the tenth largest accounting firm in the U.S., providing auditing services in the financial accounting spectrum for various industries including automobile, hospitality, not-for-profit, real estate, and cloud architecture. Stephanie graduated from the University of South Florida with a bachelor’s degree of Science in Accounting. During her time at the University of South Florida, Stephanie was an active member of Beta Alpha Psi, an international honor society for Accounting, Finance, and Information Systems students and professionals.
Trending This Week
#1 Shared Responsibility Model Explained
#2 Remote Working Strategy Desktop Virtualization or Remote Access
#3 How CASB Is Different from Web Proxy/Firewall
#4 Top Threat #5 to Cloud Computing: Insecure Software Development
#5 The Service Mesh Wars: Why Istio might not be favorite after all
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.
8 Things Healthcare Organizations Can Do to Ensure HIPAA Compliance in the Cloud