Getting Started – TrustCloud Auditors

To get access to the AuditLens application, please reach out to your Customer contact. They will be able to invite you to their AuditLens portal. The TrustCloud customer will be able to initiate the access and you will receive an invitation email. Once you have accepted the customer’s AuditLens invitation, click on the four squares at the top left side of the landing page. This will switch you from the TrustOps view to the Audit Lens view.

Below is a detailed overview for each of the frameworks for your review.

Auditor SOC2 Process Flow:

1. Once you’re on the Audit Lens view, you’ll notice a few things:
   1. Systems and Vendors are at the very top. If you click on them, they will take you to your customer’s Systems or Vendors page, inside of their TrustOps. This will give you access to the organization’s tech stack. Within, you will be able to see the types of data that your customer is storing in each system or vendor. We’ve segmented these into three different categories: Customer Confidential, [Company] Restricted, [Company] Confidential, and Public.
      
   2. Going back to the Audit Dashboard, the second thing you’ll notice is the framework Criteria section on the left. This is a summarized view of everything in scope for the audit organized by framework criteria.
      
   3. Lastly, on the top right hand side, you will see an icon to download the control mapping. Selecting this will give you a csv listing of all controls mapped to the SOC2 criteria. This will essentially be the section 4 component of the SOC2 report. 
   4. To give you an example of how to work out of this view, we’ve selected CC6 from the SOC2 framework to demonstrate.
      1. Once selected, you will be brought to a page that shows the policies and controls that need to be reviewed.
         1. The list is titled “Adopted Policies” because these are the policies that have officially been adopted internally by your customer.
         2. We generated this list from their program so you can have the ability to click on the policy name / link, review their policy text, look at the linked controls, how the controls are being adhered to, and see the approval history.
         3. Instead of downloading their policies, you can now directly view it in their Trust Cloud.

AuditLens HIPAA Process Flow

1. Make sure you’re logged into Audit Lens, not TrustOps.
   • If you’re logged into your client’s TrustOps, simply hover your mouse over the 4 squares in the top left corner and switch to the Audit Lens application.
2. You will be brought to an Audit Dashboard.

Here, you’ll be shown your client’s Systems, Vendors, and HIPAA Activities. Systems and Vendors are at the very top. If you click on them, they will take you to your customer’s Systems or Vendors page, inside of their TrustOps.

1. If you select Systems:
   1. This will give you access to the organization’s tech and business stack. Within, you will be able to see the types of data that your customer is stores in each system or vendor. We’ve segmented these into three different categories: Customer Confidential, [Company] Restricted, [Company] Confidential, and Public.
   2. You’ll also be able to see the status of your customer’s Systems. After clicking a system, it’ll bring you to that individual system’s page. Here, you can find the details of the system, its Automated Tests, and Self-Assessments.
   3. Lastly, on the top right hand side, you will see an icon to download the control mapping. Selecting this will give you a csv listing of all controls mapped to the HIPAA Security Requirements.
      
      
   4. Under Evidence, you’ll see either an orange exclamation icon or a green check mark. The orange exclamation icon means that the required evidence is missing. The green check mark means that evidence has been uploaded.
   5. To the right of these categories, you will see the “Related Controls” column, which brings you to related control’s individual page. The corresponding test will be highlighted.
   6. Next you’ll see Actions, where you’ll be able to view their activity.
   7. Similarly, you’ll see a similar flow for the Automated Tests.
2. If you select Vendors:
   1. This will prompt you to your customer’s Vendors page inside of Trust Cloud. You’ll be able to see their vendors list, with the same segmentations from before.
3. If you browse HIPAA Activities:
   1. You will see a high level dashboard of your entire customer’s programs as it relates to HIPAA activities.
      1. The Controls and Policies have percentages. These are just percentages that show your progression. The percentages do not mean that your client’s are completed with their controls or policies. It means that you have reviewed all of their controls and policies.
      2. Anything with a yellow circle would indicate that it’s in progress.
      3. A “blank” section is one that doesn’t have the check mark or the yellow circle indicator. These are just sections you have yet to review.
   2. Once you click on a tile under the HIPAA Activities Section, you can see all the related controls and policies for that particular activity.
      1. You can select the Policy Name which will bring you to your client’s entire policy, linked controls, and the status of the controls.
      2. You can also select the 3 ellipses (or dots) in the top right corner. This will give you the option to view the Approval History, as well as being able to “Export the PDF”.
      3. If everything looks good, a policy’s Audit Status can be changed from “Not Started” to “Reviewed”. If you have additional questions for your client, you may select “Follow Up Required”.
      4. Once every policy has an Audit Status of “Reviewed”, you can then proceed to the top right corner and select the toggle button to officially mark the entirety as “Reviewed”.
         
         
   3. A similar flow will happen for the Adopted Controls section.
4. You have the ability to click on the Control Name or Control ID.
5. We created unique Control Names and Control IDs that are more approachable for customers, but on the left hand side, we’ve also mapped out the specific HIPAA Criteria.
6. To confirm this, you can select the Control Name, which will show you a description of the control, automated tests, and self-assessments that are in place.

AuditLens ISO 27001 Process Flow

1. Make sure you’re logged into Audit Lens, not Trust Cloud.
   1. If you’re logged into your client’s Trust Cloud, simply hover your mouse over the 4 squares in the top left corner and switch to the Audit Lens application.
2. You will be brought to an Audit Dashboard.
   1. Here, you’ll be shown your client’s Systems, Vendors, and ISO 27001 Sections.

Systems and Vendors are at the very top. If you click on them, they will take you to your customer’s Systems or Vendors page, inside of their Trust Cloud.

1. If you select Systems:
   1. This will give you access to the organization’s tech and business deck. Within, you will be able to see the types of data that your customer is storing in each system or vendor. We’ve segmented these into three different categories: Customer Confidential, [Company] Restricted, [Company] Confidential, and Public.
   2. You’ll also be able to see the status of your customer’s Systems. After clicking a system, it’ll bring you to that individual system’s page. Here, you can find the details of the system, its Automated Tests, and Self-Assessments.
   3. Under the Status column, you’ll see which Tests are being run.
   4. Under Evidence, you’ll see either an orange exclamation icon or a green check mark. The orange exclamation icon means that the required evidence is missing. The green check mark means that evidence has been uploaded.
   5. To the right of these categories, you will see the “Related Controls” column, which brings you to related control’s individual page. The corresponding test will be highlighted.
   6. Next you’ll see Actions, where you’ll be able to view their activity.
   7. Similarly, you’ll see a similar flow for the Automated Tests.
2. If you select Vendors:
   1. This will prompt you to your customer’s Vendors page inside of Trust Cloud. You’ll be able to see their vendors list, with the same segmentations from before.
      
      
3. If you select ISO 27001 Sections:
   1. You can click on each tile and see the Adopted Policies and Adopted Controls.
      
   2. If you select a Policy, you’ll be able to review your client’s policy inside of their Trust Cloud, as well as the related Controls and their status.
   3. You can also select the 3 ellipses (or dots) in the top right corner. This will give you the option to view the Approval History, as well as being able to “Export the PDF”.
   4. If everything looks good, a policy’s Audit Status can be changed from “Not Started” to “Reviewed”. If you have additional questions for your client, you may select “Follow Up Required”.
   5. Once every policy has an Audit Status of “Reviewed”, you can then proceed to the top right corner and select the toggle button to officially mark the entirety as “Reviewed”.
4. The Controls and Policies have percentages. These are just percentages that show your progression. The percentages do not mean that your client’s are completed with their controls or policies. It means that you have reviewed all of their controls and policies.
5. Anything with a yellow circle would indicate that it’s in progress.
6. A “blank” section is one that doesn’t have the check mark or the yellow circle indicator. These are just sections you have yet to review.