3 Tips on Preparing for a SOC 2 Audit

3 Tips on Preparing for a SOC 2 Audit


SOC (Service Organization Control) has evolved under the governing authority AICPA (American Institute of Certified Public Accountants), an accounting organization that oversees tax and finance accountants.

What started as an accounting standard has evolved to become an increasingly popular security framework with far-reaching applications. Now, companies routinely need to demonstrate SOC 2 compliance because their customer wants to ensure that they are managing data effectively.

As managed service providers (MSPs) work to help entities create and maintain a robust security environment, they certainly shouldn’t bring any additional risk to their clients’.

As a result, many MSPs have begun to explore a SOC 2 audit before providing services to a prospective client. In this article, we give some tips on preparing for a SOC 2 audit.

Successfully navigating it can help your MSP’s reputation, marketing initiatives, as well as provide a leg up on the competition.

What Is a SOC 2?

A SOC 2 audit addresses third-party risk concerns by evaluating internal controls, policies, and procedures that directly relate to the AICPA’s Trust Services Criteria.

It focuses on controls related to security, availability, processing integrity, confidentiality, and privacy. Security controls testing is mandatory, while the rest (availability, processing integrity, confidentiality, and privacy) are optional.

SOC2 Certification

Source: Regents & Park

This means that the company can decide the scope of the report, but it always covers security or the “common criteria.” This includes organizational controls, access management, risk management, change management, communications, and system operation.

(The Common Criteria elements will satisfy the need for most partners that you have reliable security process in place.)

A SOC 2 report is a restricted report, meaning it cannot be freely distributed. Only those within the organization, customers, and prospects can see it. It will show all the controls you were tested on as well as any exceptions.

Finally, there are two types of SOC 2 reports, type I and type II:

  • Type I: A one-time test of your controls at a point in time.
  • Type II: Ongoing test of your controls over a period, e.g., over the past 6 months.


1. Get Buy-In from the Entire Organization

Sometimes in MSPs, the SOC 2 process falls on the shoulders of a couple of employees. And while it can be useful to have a project manager spearheading the process, key stakeholders across business and IT groups need to understand the full set of drivers and potential uses of the SOC 2 report.

As a result, it’s essential that the entire organization is aware of the SOC 2 audit and buys into the process. They also need to understand the time, effort, and money required for successful completion and the kind of report you want to share with your customers.


2. Examine Current Processes

Walk-throughs of management’s existing processes will provide a complete view of the relevant processes and controls and give the SOC 2 team with most of the information it needs to understand where management’s controls align to the standard and where gaps exist.

It is critical to involve the correct stakeholders and process owners in these conversations to ensure accuracy. Inaccurate control information can lead to delays later on, or if not identified early enough, testing exceptions in the SOC 2 audit.


3. Perform a Full Readiness Assessment

You’ll want to find a CPA firm to complete the SOC 2 audit. Why a CPA? Because of the origins of SOC 2, your auditor will have to be a CPA firm to issue a SOC 2 report.

As LMBC points out, technically, any CPA firm can issue one. But, not any CPA firm can do it the right way. Due to the specific focus of SOC 2 on security, you want a firm that understands security and the ins and outs of the AICPA guidance.

During the engagement, the firm you hire will perform a full readiness assessment. They will educate you on the requirements of all the framework’s criteria and help you understand any control gaps your organization has related to those criteria and points of focus. By providing them with your report on current processes, you’ll speed up the time it takes to undergo this readiness assessment.


The Wrap on Preparing for a SOC 2 Audit

Successfully completing a SOC 2 audit is no small feat. But, doing so can give your clients and your customers a new level of respect for your business.

Derik Belair

As President and CEO, Derik leads the vision, strategy and growth of Augmentt. Prior to founding Augmentt, Derik was the Vice President at SolarWinds, leading the digital marketing strategy for SolarWinds’ Cloud division. Derik has been working in the channel for over 20 years, starting his career as a channel sales rep at Corel Corp. and eventually becoming the first employee at N-able Technologies in April of 2000.
SUBSCRIBE for more resources
Related Content

Agent and Agentless

    When it comes to Augmentt Discover, we believe in flexibility and power. Augmentt Discover can collect SaaS usage data using both an Agent and Agentless model. Here is a quick [...]

    Product Evaluation Guide

      Thank you for starting your Augmentt Product Evaluation and Trial   Here are a few resources that will help you through this technical process. Support Technical Support is available to [...]
      Augmentt is a centralized SaaS security platform built for MSPs to deliver scalable managed security services for Microsoft and cloud apps. Our multi-tenant platform gives you visibility across all your end-users to easily audit, protect and detect security threats for a holistic approach to cyber security.

      Want to get the latest resources in Saas Security?

      Join our mailing list and we’ll only send you value-add content.