What's Required After My First SOC 2 Report?
Published 02/21/2024
Originally published by MJD.
Written by Mike DeKock, CPA, CEO, MJD.
Q: What is required after my first SOC 2 report?
A: MJD Answer
You’ve completed your SOC 2 report. That first-time report can be a lot of work, and it’s worth celebrating while you hang the new AICPA logo on the website. So what’s next?
If you have done it right, it’s pretty simple because your controls have been baked into the way you do business so you just need to follow the new expectations you have set for your organization. It doesn’t have to be hard or complex, but it’s new and a lot to keep organized, so here are some things to consider to help you along the way.
- Plan your next audit now. Figure out the timing, set expectations with the auditor, and calendarize the annual compliance schedule while any challenges are fresh in your mind.
- Maintain a continuous, annual reporting cycle that covers 12 months. Your customers will want to see ongoing compliance, and continuing to hold your team accountable will avoid dust collecting on the program and having to start over again.
- Be strategic with how you document controls. Don’t “document everything” - document the right things. So much time with SOC 2 gets wasted on throwing documents against the wall, hoping one of them gets the auditor to go away, but it doesn’t have to be that way. Go through your report and identify what is needed and when it’s needed, and craft some clean, clear, easy-to-follow audit evidence to support your great work. It’s ok to make it easy for the auditor.
- Keep the program active. I don’t love the auditor/dentist comparison, but brushing your teeth 5x the day before the appointment doesn’t make up for a year's worth of neglect (or so I have been told). Hold standing meetings, maintain communication with your auditor, and find ways to challenge and strengthen your controls. Continuous, iterative, and agile beats a reactive, waterfall approach every time.
- Keep SOC 2 top of mind, and don’t let it become the scapegoat for bad systems. Telling your team, “sorry, this procedure is required for SOC 2” is not going to inspire the level of engagement you would get from “we’re doing this to maintain our customers' trust.”
And ultimately… If you have the right systems and organizational buy-in, SOC 2 is really no more than a project management exercise. It may not be “easy” for everyone, but there’s absolutely no reason it should be hard.
A: ChatGPT Answer
After the first SOC 2 report, there are several actions that may be required, depending on the outcome of the audit and the specific needs of the organization:
- Address any identified gaps or deficiencies: If the SOC 2 audit identified any gaps or deficiencies in the organization's controls, these must be addressed promptly. The organization should develop a plan to remediate any issues and ensure that the necessary changes are implemented.
- Conduct regular monitoring and testing: To maintain compliance with SOC 2, the organization should conduct regular monitoring and testing of its controls to ensure they are working effectively. This includes ongoing risk assessments and periodic testing of controls.
- Maintain documentation: The organization should maintain documentation to demonstrate its compliance with SOC 2 requirements. This includes policies, procedures, and evidence of controls.
- Engage in regular SOC 2 audits: To maintain SOC 2 compliance, the organization should engage in regular audits. This may include an annual SOC 2 Type 2 audit or periodic SOC 2 Type 1 audits.
About the Author
Most people describe me as a passionate, unconventional thinker with a unique talent for simplifying the complex. I have a degree from the University of Iowa, am a licensed CPA, and started my career as a financial statement auditor, where I developed a passion for process improvement and became a subject matter expert in applying the audit and attestation standards. I spent much of my career as a general practitioner, but when I began focusing on SOC reports in 2017, everything became clear, and I discovered the next step in my career path. I started MJD Advisors in 2021 with a niche focus on SOC reports for technology companies, and I hope I never have another job.
Related Articles:
Why You Should Have a Whistleblower Policy for AI
Published: 10/07/2024
Reflections on NIST Symposium in September 2024, Part 1
Published: 10/04/2024
How to Maximize Alignment Between Security and Compliance Teams
Published: 10/04/2024