Login

REQUEST PRICING
TRY IT FREE

3 Tips on Preparing for a SOC 2 Audit

Table of Contents

3 Tips on Preparing for a SOC 2 Audit

SOC (Service Organization Control) has evolved under the governing authority AICPA (American Institute of Certified Public Accountants), an accounting organization that oversees tax and finance accountants.

What started as an accounting standard has evolved to become an increasingly popular security framework with far-reaching applications. Now, companies routinely need to demonstrate SOC 2 compliance because their customer wants to ensure that they are managing data effectively.

As managed service providers (MSPs) work to help entities create and maintain a robust security environment, they certainly shouldn’t bring any additional risk to their clients’.

As a result, many MSPs have begun to explore a SOC 2 audit before providing services to a prospective client. In this article, we give some tips on preparing for a SOC 2 audit.

Successfully navigating it can help your MSP’s reputation, marketing initiatives, as well as provide a leg up on the competition.

What Is a SOC 2?

A SOC 2 audit addresses third-party risk concerns by evaluating internal controls, policies, and procedures that directly relate to the AICPA’s Trust Services Criteria.

It focuses on controls related to security, availability, processing integrity, confidentiality, and privacy. Security controls testing is mandatory, while the rest (availability, processing integrity, confidentiality, and privacy) are optional.

This means that the company can decide the scope of the report, but it always covers security or the “common criteria.” This includes organizational controls, access management, risk management, change management, communications, and system operation.

(The Common Criteria elements will satisfy the need for most partners that you have reliable security process in place.)

A SOC 2 report is a restricted report, meaning it cannot be freely distributed. Only those within the organization, customers, and prospects can see it. It will show all the controls you were tested on as well as any exceptions.

Finally, there are two types of SOC 2 reports, type I and type II:

  • Type I: A one-time test of your controls at a point in time.
  • Type II: Ongoing test of your controls over a period, e.g., over the past 6 months.

1. Get Buy-In from the Entire Organization

Sometimes in MSPs, the SOC 2 process falls on the shoulders of a couple of employees. And while it can be useful to have a project manager spearheading the process, key stakeholders across business and IT groups need to understand the full set of drivers and potential uses of the SOC 2 report.

As a result, it’s essential that the entire organization is aware of the SOC 2 audit and buys into the process. They also need to understand the time, effort, and money required for successful completion and the kind of report you want to share with your customers.

2. Examine Current Processes

Walk-throughs of management’s existing processes will provide a complete view of the relevant processes and controls and give the SOC 2 team with most of the information it needs to understand where management’s controls align to the standard and where gaps exist.

It is critical to involve the correct stakeholders and process owners in these conversations to ensure accuracy. Inaccurate control information can lead to delays later on, or if not identified early enough, testing exceptions in the SOC 2 audit.

3. Perform a Full Readiness Assessment

You’ll want to find a CPA firm to complete the SOC 2 audit. Why a CPA? Because of the origins of SOC 2, your auditor will have to be a CPA firm to issue a SOC 2 report.

As LMBC points out, technically, any CPA firm can issue one. But, not any CPA firm can do it the right way. Due to the specific focus of SOC 2 on security, you want a firm that understands security and the ins and outs of the AICPA guidance.

During the engagement, the firm you hire will perform a full readiness assessment. They will educate you on the requirements of all the framework’s criteria and help you understand any control gaps your organization has related to those criteria and points of focus. By providing them with your report on current processes, you’ll speed up the time it takes to undergo this readiness assessment.

The Wrap on Preparing for a SOC 2 Audit

Successfully completing a SOC 2 audit is no small feat. But, doing so can give your clients and your customers a new level of respect for your business.

Author
Gavin Garbutt
Co-Founder & Chairman of Augmentt

FAQ

Using our GDAP tool & Magic Link, setting up is easy! You can integrate with your CSP partner portal in minutes
Augmentt uses a combination of Microsoft Secure Score best practices as well as industry standards such as NIST & CIS. You can use the out of box templates to get started right away and even build your own custom templates to match your client requirements.
Out of box, Augmentt comes pre-configured to not be noisy. Very few Microsoft alerts are critical in nature so you will be receiving tickets for account breaches and not minor user log related events. That said, everything is customizable and you can turn alerts on & off to match your clients’ needs.
No. You can choose to schedule alerts to any stakeholder you want and at the frequency you want or manually download reports when you need them.
Regardless of how MFA is managed across your tenants, we have you covered. Augmentt supports Conditional Access Policies, Security Defaults, Entra ID per user (Legacy) MFA as well as 3rd party MFA services like DUO.
No. You can use Augmentt to monitor and manage all clients regardless of their licensing. For environments with no premium licensing you can still provide alerts and monitoring for account breaches and configure security best practices. For environments with premium licensing, you can leverage Microsoft’s premium alerts and premium security configurations such as Conditional Access Policies.
Augmentt is one of the few vendors SOC 2 Type II, and GDPR compliant.
Site licenses to make sure you can deliver standardized service across all clients very affordably.

SUBSCRIBE for more resources

Related Content

Policy Sprawl Is Killing MSP Efficiency
Policy sprawl is quietly draining your margins, creating security gaps, and eroding client trust. The good news? Standardization is the cure.
Read More
Does Microsoft Secure Score Tell the Whole Story?
Do you have a complete understanding of your security? See why MSPs need to understand the role licensing plays in Secure Score results.
Read More
Top 10 M365 Security Best Practices for MSPs
Here are the top M365 security best practices to help you enhance protection, ensure compliance, and stay ahead of emerging threats.
Read More