Find an auditor

Find an auditor

Going through an audit can be an overwhelming process. When it comes to SOC 2, an audit is an auditor’s informed opinion on how well your organization’s controls meet the relevant Trust Service Criteria. There are a few things you should consider when selecting an auditor:

• Accreditation: Ensure that your auditor is a licensed CPA. Only a CPA can sign off on a SOC 2 audit.
• Find a reputable firm. Any firm with a good reputation is sufficient. If you need guidance in this area, TrustCloud provides recommendations in this list of audit partners.
• Experience matters. An auditor with more experience is likely to have a better and more thorough understanding of SOC, how to evaluate controls against your organization, and the best practices that apply.
• It’s important that your auditor understand your business so they can expertly assess if there are any gaps or deficiencies.

What do auditors look for?

The Auditors are guided by the IIA Standard Code of Ethics. It tasks auditors with being independent and objective. Your documentation of evidence is evaluated by an auditor to make sure of its operational effectiveness or that a particular control exists. 

Using a combination of techniques, an auditor obtains an in-depth understanding of your program and how it fits into the SOC 2 framework. These techniques may include:

• Observation: Observing you perform a task relevant to a specific control
• Inquiry: Interviewing you or your team to learn about a specific process.
• Inspection: Requesting evidence of compliance with a control

To satisfy the auditor’s needs, it’s imperative that the documentation be complete and accurate. The source of information in the document has to be identified and verified; the content of the document must be written with integrity; and the documentation has to be easily accessible and retrievable for audit purposes. It is important to get an auditor to come to the same conclusion about the state and health of your information security program as you do. You can help them come to that conclusion.

Once an auditor has reviewed your work and determined that your controls, policies, and procedures meet all requirements, they give you their stamp of approval. You can now shout out (or post on your website) that you are SOC 2 compliant, for now. And you can start planning for next year’s audit.