Picture this: you’ve just finished a race.
Maybe you’re a 5k person, or if you’re more superhuman, perhaps you run marathons. And even if you’re neither, you’ve likely seen the scenes after each race, no matter the distance. As soon as a runner crosses the finish line, they’re congratulated and handed a medal and cooling towel before they head off to catch their breath, thankful for their success.
A SOC report isn’t exactly as flashy as that medal at the end of a runner’s race, but we’re betting the exhaustion and sense of accomplishment you feel are fairly similar. After all, you’ve just made it through another kind of endurance activity and would very much like to rest.
Congratulations, if you’ve just completed your first (or latest) SOC attestation. Congratulations if you’re now done with the walkthroughs, with providing evidence, with addressing those follow-ups. At this point, you’ve likely got the deliverable in hand from your auditor and have distributed that shiny new SOC attestation report to clients and interested parties.
But similar to running, the audit business benefits from training–from keeping up with good habits and maintaining the standards you set for yourself in order to be able to pass your SOC examination.
After all, these audits do generally occur yearly, and while you’re probably trying to not think about it, it’s likely there’s a little voice in the back of your mind reminding you that this process will have to be completely redone for next year.
But you don’t have to dread your next SOC report. You’ve run one race (at least) already. As those service auditors who visit our clients year after year to reevaluate their controls and security measures, we want to help you, as well as them, mitigate the stress of an audit during those times when we’re not in-house just as much as when we are around.
In this article, we will detail what you can do now to make the next time you go through a SOC attestation less arduous than before. Using these three steps, you will trade stress for more organization and set yourself for a more improved experience during your examination.
How to Make Your Next SOC Examination Easier
1. Address Any Exceptions Found
Now that you’re done with your latest SOC audit, you may have revealed some exceptions within your security infrastructure. This is where you should start during the “dead period” between audits–develop a plan to address exceptions discovered during the attestation process (if there were any).
- A report that includes exceptions should not be seen as purely a negative; exceptions should also be seen as an opportunity to improve.
- Have your security management team meet before your next attestation planning meetings begin to review and discuss the complete report as a whole, including corrective action plans for the exceptions.
- Having a plan to address these exceptions will lead to an increased emphasis on properly executing the control in the next review period, which will also lead to a stronger security environment and a cleaner SOC attestation report.
Ensuring that these exceptions are addressed is a major element of not only improving your security environment and posture, but also improving the audit process. It may seem like more work, but in fact, it’ll save you some in future and benefit your organization overall.
2. Document Everything
If you’ve been through an audit, you already know how important documentation is for those eventual evidence requests. Because it’s highly unlikely that your organization will remain stagnant in between audit periods, it’s a huge advantage to document any changes to systems, applications, or physical company locations that occur prior to fieldwork of your next SOC attestation.
- Make sure to include any changes that can have an effect on the structure of security controls, such as the replacement of a change management ticketing system, an additional office facility being acquired, or the change of a business process (e.g. a change in the frequency of vulnerability scans being conducted). Documenting these changes now will relieve a lot of headaches during your next SOC walkthroughs, interviews, and fieldwork.
- Write it all down at the actual time of the change, rather than having to remember to do it later.
- The more thorough, the better: From our perspective, we sometimes feel like members of a jury–we need to be convinced beyond a reasonable doubt that the control is suitably designed (Type 1 report) and/or operating in an effective manner (Type 2). This always comes back into play when a process has changed, or a major change has occurred in an organization.
- Your auditors too will need to be convinced and have concrete evidence that:
- The business process changed;
- The change was approved by management;
- The change follows new policies, procedures, and standard operating procedures; and
- The control is now operating per the new business process.
There is a fine line between a change of a control and the control raising an exception–to avoid crossing it to your detriment, ensure you have the proper paper trail that documents who made the change, why it was made, who approved it, and when the change was made.
3. Keep in Contact with Your Third Party
We’re actually not that bad, you know. And while at the end of your assessment, you may be thinking you’re well rid of your auditors, it would actually benefit you to maintain the relationship in between review periods.
- Inform them of any changes you would like to incorporate into the next attestation process, such as changes to review period.
- That may also apply if you’d like to add additional compliance reports to be conducted, such as HIPAA, HITRUST, or PCI.
At Schellman, our team is always willing to assist in tailoring an IT compliance stack that fits the needs of our clients, and being kept apprised of shifting objectives and new initiatives helps us help them. Maintaining a similar line of open line of communication with your own auditors will allow them to better plan for your mutual preparation period and accommodate you more thoroughly.
Next Steps for Your Upcoming SOC Examination
So, if you are someone who finds yourself in between your annual SOC examinations, don’t worry, because there is no need to stress over this experience year over year. You’ve gotten through the arduous effort that was the first one, which will set you up well for subsequent audits, and that’s a big advantage in itself.
But more still, you’ve now learned three things that position you even better–if you address any exceptions that’ve been found, document everything at the moment in changes within your business processes, and maintain and open line of communication with your service auditor, you’ll watch as your next SOC examination flows even smoother and more quickly.
While you’re keeping your next attestation a priority, we want to also help you ensure you get the most of the effort you’ve already given–read through our tips on how to maximize the report you have in hand right now. In addition to the basic tips above, our Midwest Practice leader Rob Tylka discusses in more detail how to make upgrades and changes to your approach for your next examination that will boost your next SOC report to new heights.
About the AuthorMore Content by Eric Aulbach