SOC 2 Audits have become the standard for SaaS and other B2B technology-focused companies. People preparing for the SOC 2 audit process for the first time have common questions such as:
- SOC 2 Type 1 versus SOC 2 Type 2 audit?
- What time period should our SOC 2 audit cover?
- Do we need a SOC 2 Readiness Assessment?
- Which SOC 2 Trust Services Criteria do we need to follow?
This quick video discusses the common requirements and considerations for your SOC 2 audit.
the demand for SOC 2 audits has grown tremendously just over the last couple
years alone more and more large enterprises are
requiring their technology vendors to go through the soc 2 audit process so
we get a lot of questions about these there are a lot of considerations do i
do a sock two type one or a type two, do i need to do a readiness assessment
first you know what length of time should my
type two audit be all of those things and give you a couple pointers on what
we see going on in the environment so first i always always recommend a readiness
assessment before diving into a sock to audit even if you're already aligned with an
industry standard framework even something more complex like NIST 853 you still
want to do a SOC 2 readiness assessment because you need to understand
what you have to have in place before the auditor comes in you also need to
think about your trust service criteria which criteria
will you be audited on if you don't have a specific requirement i always
recommend starting with a security tsc or trust service criteria now that's
standard that's going to be in any soc 2 audit
but why add additional criteria if you don't have to most of the time what we see is
companies requiring soc 2 type 2 audits over a 12 month
period but they don't necessarily specify any more criteria beyond
the security tsc so keep that in mind think about a 12-month process now the
time that really makes the most sense for a sock 2 type 1 audit
which is a point in time assessment as opposed to assessment over a period of time
sock 2 type 1 is really good when you have a client demanding some sort of report by a
certain date because they can be done much quicker the downside to a soc 2 type 1
is that it it certainly doesn't hold the weight of a type 2
so be sure to consider the trust service criteria that you need to align with the
type of assessment and the length of time for the assessment
and remember if you have not done a soc 2 audit or have not done one
recently it's very important to have a risk assessment final thing i'll leave
you with is once you do the risk assessment give yourself about three three months or so
before you actually get into the audit process that'll give you
time to remediate any shortcomings and be prepared