What Do SOC 2 Auditors Expect For Evidence?

Learn what SOC 2 assessors expect during audits and readiness assessments and become better prepared for SOC 2.

The Audit Process

During a SOC 2 audit, an audit firm will typically request that organizations share further information on their security programs and evidence of security operations. The information needed by assessment firms may vary depending on the type of audit and Trust Service Criteria (TSC) your team is being assessed on.

Below are some of the categories and types of evidence SOC 2 auditors may request for evaluating your organization’s security program. To get a better idea of SOC 2 scope and requirements, companies should consider connecting with a firm to determine audit needs and overall scope.

Assets Requested by SOC 2 Auditors

When an organization engages with a SOC 2 audit firm, they may be asked to provide security materials as internal controls are evaluated. Teams they should gather security program information and artifacts to share with assessors. Organizations may leverage continuous compliance monitoring tools to establish and enforce internal controls.

Assets provided to auditors may consist of written policies and procedures, security reports, and information about security configuration. Organizations may be asked for information including evidence from the following categories:

Build And Automate Your SOC 2 Security Program

Learn More About Dash

Data Protection

Assessors may ask organizations how they configure production system and safeguard sensitive data. Organizations may be asked to describe how production systems are configured and managed in the public cloud.

  • Inventory of production systems/data
  • Networking settings
  • Encryption settings

Backup & Disaster Recovery (DR)

Assessors may ask organizations to provide information about backup and disaster recovery (DR) standards. Assessors will evaluate protections safeguard sensitive data and prevent potential data loss.

  • List of latest backups
  • Record of last test of backup and disaster recovery processes

Access Control

Assessors want to see that organizations have a standardized process for managing access control and access to sensitive data. Organizations should have processes implemented for granting new user permissions and revoking user access when employees leave or no longer need access.

  • List of production access users
  • Record of user access creation/deletion
  • Record of review of user access permissions

Security Solutions & Vulnerability Mgmt

Assessors will ask organizations about security solutions and controls in place for patching systems, preventing malware, and monitoring network security.

  • Record of last intrusion detection
  • Record of last vulnerability scanning
  • Evidence of a patching schedule

Human Resources (HR)

Assessors want to see that organizations have proper employee policies in place and that employees are vetted and provided periodic security training.

  • List of employees and staff roles
  • Background checks and vetting of new employees
  • Date of employee security awareness training
  • Copy of Employee Handbook

Physical Security

Assessors may ask for information and security of company offices and datacenters. While less applicable to organizations managing security in the public cloud, teams should provide evidence of security protections for any on-premise infrastructure, or sensitive office spaces.

  • List of on-premise hardware infrastructure
  • Security procedures of offices
  • Physical access policies for production hardware/datacenters
  • Policies for handling physical media (hard drives, flash drives, CDs, etc)
  • Building maintenance, emergency procedures for datacenters

With Type 2 audits being conducted over several months, it is important that teams implement all required security controls and maintain these standards over time. Security teams may consider leveraging tools such as Dash ComplyOps to automate internal controls and gather essential security information for SOC 2 assessment.

Build And Automate Your SOC 2 Security Program

Schedule A Demo

What Do Auditors Do with This Information?

An assessment firm may ask for security information to get a better idea of your organization’s security program and evaluate internal controls for SOC 2.

Since SOC 2 Type 2 is assessed over a period of time (generally 6 months), the assessment firm may continue to ask your company for further information and security evidence. The assessor may use this information to evaluate your team’s security posture and controls over this audit period.

After the audit period, the assessment firm will write a SOC 2 report summarizing your organization’s implemented internal controls. This SOC 2 report/certification can be shared with partners, clients, and key stakeholders as security program validation.

The assessor uses your provided information to determine three core items:

  • Does your organization have required internal controls in-place?
  • Are these internal controls actually followed and enforced?
  • Are there any gaps in controls?

How Your Team Can Prepare for SOC 2 Audit

When going through a SOC 2 audit or readiness assessment, assessors want to see that your organization has an effective security program and that you are actually following through on the standards your team has put into place.

Your team can consider taking the following steps when preparing for SOC 2 audit:

  • Create a realistic set of policies and procedures to guide security operations
  • Follow policies and implement security controls across your environment
  • Determine audit scope and perform a SOC 2 readiness assessment
  • Gather necessary security information

Dash ComplyOps helps teams streamline and automate SOC 2 process. Software vendors, startups, and consultants all leverage Dash to build SOC 2 administrative policies and procedures, enforce policies through continuous compliance monitoring, and gather all evidence needed for SOC 2 audit.

Achieve SOC 2 Type 2 In The Cloud

Automate Your Security Program and Achieve SOC 2 Certification

Learn More About Dash
Book A Time On Our Calendar
Talk To A Compliance Expert