Going through a SOC audit can seem overwhelming. In our conversations with clients, particularly those undergoing their first audit, there are common fears about what mistakes might lead them to a SOC report with a qualified opinion, or potentially worse, a SOC report examination that feels like it never will end.
The following list of common pitfalls to avoid can help you have a more efficient and effective audit. Let’s take a closer look.
Not identifying your in-scope audit environment
A SOC audit focuses on the environment and system you identify during planning. If your audit team is close to issuing the report and new systems come into scope that you didn’t previously identify, this will cause delays. Further, if the new evidence is provided outside of the initial audit period, this can require a new report period, which leads to additional work and substantial delays.
Not identifying segregation of duties issues before the start of the audit.
We understand that each company is unique, and teams require collaboration to achieve their goals. However, it is important to consider how incompatible individual duties are segregated when structuring your team. One common area where potential segregation of duties conflicts arise is the change management process. In most circumstances, it is crucial that the person developing a change be different from the person approving and implementing the change into production. If we identify a lack of segregation of these duties during the audit, and there are no appropriate compensating controls (i.e., file integrity monitoring), we may be required to modify the report opinion. Most segregation of duties conflicts can be mitigated by compensating controls. It is essential to discuss known segregation of duties conflicts with your auditor as soon as possible so that compensating controls can be identified and appropriately tested.
Not performing the process as stated in the agreed-upon controls
The controls need to be an accurate reflection of your environment. If the control deviates and creates gaps, it can lead to additional risks and potential audit exceptions. If any gaps need to be addressed, it’s better to identify and remediate them before the start of the audit.
Not providing complete and accurate evidence
To minimize delays and follow-up questions from your auditors, and to decrease your own workload, it’s important to consider the following:
- If you provide system-generated lists, be sure to include documentation of what system the list is coming from, how it was generated, and when.
- When providing system configurations and settings, the evidence should show when it was generated. This will help ensure the evidence is within the audit period.
- When providing system configurations, settings, or reports, the evidence should also cover all of the in-scope systems (i.e., servers, databases, applications, etc.) for the audit. Failing to consider this can lead to numerous follow-up questions from the auditors, which slows down the audit and causes frustration.
What you need to provide to your auditor
When you engage a firm to perform your SOC audit, it’s helpful to have two key documents:
- Management’s description of the system. This narrative document provides details on the processes and controls that enable the organization to achieve its service commitments and other objectives related to security, availability, processing integrity, confidentiality, and privacy.
- Control matrix. The control matrix is usually a spreadsheet that outlines the specific controls that relate to the criteria. It describes what actually occurs and the individuals responsible for performing the control.
If you don’t have these documents, do not fret, your auditor can help guide you through the process and provide examples of best practices.
During fieldwork, the auditors may request a variety of additional documents to facilitate their audit procedures. The documents you need to provide will depend on the type of SOC audit and scope. Some common requests include:
- Written administrative and security policies
- Cloud/infrastructure certifications and agreements
- Technical security documentation
- Third-party and vendor contracts
- Existing documentation from any previous security assessments or audits
- User access listings
- Screenshots of system configurations and settings
Bringing It All Together
Audit mistakes can qualify a report, create exceptions, or worse yet as a result of the underlying issues, leave your organization susceptible to external attacks. The audit will be faster, more efficient, and more helpful to your organization with some advanced preparation.
If you would like to discuss SOC audits more in-depth, grab your copy of our new e-book called SOC Reports: Your Complete Guide or get in touch so that we can help your organization with your auditing needs.
- SOC Reports: Your Complete Guide
- SOC 1 vs. SOC 2 Reports: What are the Differences?
- What are SOC Reports for, and which kind do I need?
- What is SSAE 18 or a SOC 1 Report?
- What are SOC 2 and SOC 3 Reports?
- Importance of SOC 1 Reports for Employee Benefit Plans
- The Importance of SOC Reports
- Could Your Software Company Benefit from a Model Validation Review?