Docy Child

Find an auditor

Estimated reading: 3 minutes 545 views

Going through an audit can be a nerve-racking process. When it comes to SOC 2, the one thing you have to remember is that at its core, an audit is an auditor’s informed opinion on how well your organization’s controls meet the relevant Trust Service Criteria. There are a few things you should consider when selecting an auditor:

  • Accreditation: Ensure that your auditor is a licensed CPA. Only a CPA can sign off on a SOC 2 audit.
  • Find a reputable firm. It doesn’t have to be a brand-name firm like KPMG; one with a good reputation will suffice. If you need guidance in this area, we’re happy to provide some recommendations using this list of audit partners.
  • Experience matters. An auditor with more experience is likely to have a better and more thorough understanding of SOC 2, how to evaluate controls against your organization, and the best practices that apply.
  • Auditors are like snowflakes; no two are alike. It’s important that your auditor understands your business, so they can expertly assess if there are any gaps or deficiencies.

What do auditors look for?

Auditors are guided by the IIA standard Code of Ethics, which tasks auditors with being independent and objective. The documentation you developed as evidence is seen by an auditor as proof that a particular control exists and helps them evaluate operational effectiveness (whether or not the control is performing as it should).

Using a combination of techniques, an auditor obtains an in-depth understanding of your program and how it fits into the SOC 2 framework. These techniques may include:

  • Observation: Observing you perform a task relevant to a specific control.
  • Inquiry: Interviewing you or your team to learn about a specific process.
  • Inspection: Requesting evidence of compliance with a control.

In order to satisfy the auditor’s needs, it’s imperative that documentation is both complete and accurate. The source of information in the document has to be identified and verified, the content of the document must be written with integrity, and the documentation has to be easily accessible and retrievable for audit purposes. At the end of the day, you want your auditor to come to the same conclusion about the state and health of your information security program as you would. It’s your job to help them come to that conclusion.

At the end of this long journey, once an auditor has reviewed your work and determined that your controls, policies, and procedures meet all requirements, they will give you their stamp of approval. You can now shout from the rooftops (or post on your website) that you are SOC 2 compliant… for now. And then, you can start planning for next year’s audit.

Join the conversation

Twitter Facebook LinkedIn

❤️  Joyfully crafted by a 100% distributed team.