The Best SOC 2 Compliance Checklist for Prepared IT Leaders

By: Rob Morris on September 18, 2019

Preparing an IT department for a compliance audit of any kind can be a challenging task. In the case of a System and Organizational Control (SOC) examination, the scope of the audit could encompass a very broad range of policies and procedures. There are many items that could potentially be included on a SOC 2 compliance requirements list, so it’s helpful to have a good understanding of what goes into a SOC 2 report.

What is an SOC 2 Report?

An SOC 2 audit is performed primarily for the benefit of an organization's customers. Performed by a third party, the audit provides a report detailing the auditor’s assessment of whether or not a service organization has the proper controls in place to meet the relevant Trust Services Criteria of the American Institute of Certified Public Accountants (AICPA) when it comes to data access.

While SOC 2 reports address security, they don’t directly deal with information security policies that would typically fall under the description of cybersecurity. They do, however, focus on the physical and logical security procedures put in place to implement those information security policies as part of a broader business model. From a customer’s perspective, an SOC 2 report provides details about what controls a service organization has implemented to provide oversight, manage vendors, mitigate risk, and enforce appropriate internal governance.

Do You Need a Type I or Type II Report?

The first major question to ask when preparing for an SOC 2 report is what kind of report is being requested. Although both types of SOC 2 reports assess the design of a service organization’s controls, their primary difference is the amount of time that the report covers.

An SOC 2 Type I report provides an auditor’s determination of whether or not an organization’s controls are sufficient to meet relevant Trust Services Criteria at a specific point in time. The primary focus in a Type I report is on control design rather than documenting how well those controls perform in practice. An SOC 2 Type II report, on the other hand, looks at whether those controls are effective over a period of time, usually six to twelve months. For most organizations, a Type I report is requested when they begin working with a customer and then followed up with a Type II report some time later.

What is the Scope of the Audit?

When it comes to SOC 2 reports, every report is unique. This makes it difficult to provide a universal checklist that can apply to every organization. The primary question comes down to determining what the scope of an audit needs to be.

Although the AICPA has defined five Trust Services Criteria, not all of them may be applicable to every service organization or customer. When a customer requests a SOC 2 report, they must define what the scope of that report will be. This determines what controls, safeguards, policies, and procedures the auditor will assess and include in their final report. Defining the scope of the report can help to determine what steps need to be included in an SOC 2 compliance checklist.

SOC 2 Trust Services Criteria

Security

The foundational Trust Service Criteria, security is sometimes referred to as the “common criteria” because it must be included within the scope of any SOC 2 report. It is the most comprehensive criteria because the systems and processes it requires are foundational to other criteria. The security audit primarily focuses on the design of access controls that manage and record how people access systems where data is stored and how those users are authenticated. It also covers how inappropriate, unauthorized, or suspicious activity is reported and addressed. Systems should be in place to document how data is being accessed, used, and otherwise managed.

As of 2019, the security/common criteria was aligned with the 2013 COSO Internal Control - IntegratedFramework. Developed by the Committee of Sponsoring Organizations, (COSO), this list of 17 principles is used to evaluate the design and effectiveness of an organization’s internal controls. These principles are grouped into five components:

  • CC1 Control Environment: Establishes policies, procedures, expectations, and strategies that enable an organization to govern an oversee objectives.
  • CC2 Communication and Information: Establishes how and under what conditions information is shared internally and externally.
  • CC3 Risk Assessment: Identifies and assesses risks (both their likelihood and their potential impact) that could threaten the security objectives of an organization’s control, including fraud and vendor risks.
  • CC4 Monitoring Activities: Assesses and evaluates internal controls to determine whether they are sufficient to meeting organizational objectives. Also outlines what corrective actions should be taken in the event of control deviations or deficiencies.
  • CC5 Control Activities: Actions established through policies, procedures, and processes that work in conjunction throughout all levels of an organization to ensure the achievement of security objectives.

In addition to the 2013 Internal Control - Integrated Framework, organizations preparing an SOC 2 audit checklist also often refer to COSO’s 2017 Enterprise Risk Management - Integrated Framework to make sure they have the right controls and processes in place to manage risk.

Availability

This requirement focuses on how well a service organization keeps the information it stores and the services it provides available for use and operation by its clients. It is especially important for third-party vendors who need to access a contractor’s databases, applications, or functions in the course of their work. The terms of system and data availability should be included in a service level agreement (SLA) as well.

Processing Integrity

As many customers rely upon service organizations to process their protected data in some way, they often want assurances that all data processing will be valid, accurate, complete, timely, and authorized. This protects customers from processing errors that could have an impact on their business. Processing integrity controls are especially important for financial services companies.

Confidentiality

This provision applies to a special form of non-personal data designated as “confidential.” While not easily defined, it’s generally considered to be any form of proprietary information that is essential to a client’s business operations and could result in damages were it to be compromised. Some examples of confidential information could include business plans, legal documents, technical drawings, or other intellectual property. Once designated as confidential, this data must be accorded the same privacy and access protections that apply to personal data.

Privacy

The protection of personal information and data falls under the privacy Trust Services Criteria. Personal information refers to any data that can be attributed to an individual. While many of the controls that apply to personal information are covered by the security provisions of the Trust Services Criteria, additional privacy controls are often required when a service organization is directly involved with gathering and processing an individual’s personal information on behalf of a client. Some of these controls include (but are not limited to) procedures for providing notice when data is gathered, accommodating choice and consent, governing access and disclosure, and stipulating the use, retention, and disposal of data.

Preparing for an SOC 2 Audit

When a customer requests an SOC 2 report from a service organization, the type and scope of the report will be clearly defined. Once it knows what criteria the auditor will be evaluating, security and compliance officers can begin to prepare by gathering the requested information and conducting internal SOC 2 self-assessment to identify potential risks or existing gaps in compliance controls. At this point, a more specific checklist can be developed based on the scope of the audit to help prepare for the auditor’s assessment.

A SOC 2 examination can be a stressful event for any IT leader, but with the right preparation, it doesn’t have to be something to be feared. If test procedures and security policies are well-developed and maintained on a regular basis, preparing for an audit should not present a huge disruption to standard operating procedures. The best service organizations approach compliance as a year-round priority, not just something to be concerned about when an audit is scheduled.

Speak to an Expert About Your Company's Specific Data Center Needs