What Do SOC 2 Auditors Expect For Evidence?

Learn what SOC 2 assessors expect during audits and readiness assessments and become better prepared for SOC 2.

The Audit Process

During a SOC 2 audit, an audit firm will typically request that organizations share further information on their security programs and evidence of security operations. The information needed by assessment firms may vary depending on the type of audit and Trust Service Criteria (TSC) your team is being assessed on.

Below are some of the categories and types of evidence SOC 2 auditors may request for evaluating your organization’s security program. To get a better idea of SOC 2 scope and requirements, companies should consider connecting with a firm to determine audit needs and overall scope.

Assets Requested by SOC 2 Auditors

When an organization engages with a SOC 2 audit firm, they may be asked to provide security materials as internal controls are evaluated. Teams they should gather security program information and artifacts to share with assessors. Organizations may leverage continuous compliance monitoring tools to establish and enforce internal controls.

Assets provided to auditors may consist of written policies and procedures, security reports, and information about security configuration. Organizations may be asked for information including evidence from the following categories:

Build And Automate Your SOC 2 Security Program

SOC 2 Audit Checklist

Data Protection

Assessors may ask organizations how they configure production system and safeguard sensitive data. Organizations may be asked to describe how production systems are configured and managed in the public cloud.

Backup & Disaster Recovery (DR)

Assessors may ask organizations to provide information about backup and disaster recovery (DR) standards. Assessors will evaluate protections safeguard sensitive data and prevent potential data loss.

Access Control

Assessors want to see that organizations have a standardized process for managing access control and access to sensitive data. Organizations should have processes implemented for granting new user permissions and revoking user access when employees leave or no longer need access.

Security Solutions & Vulnerability Management

Assessors will ask organizations about security solutions and controls in place for patching systems, preventing malware, and monitoring network security.

Human Resources (HR)

Assessors want to see that organizations have proper employee policies in place and that employees are vetted and provided periodic security training.

Physical Security

Assessors may ask for information and security of company offices and datacenters. While less applicable to organizations managing security in the public cloud, teams should provide evidence of security protections for any on-premise infrastructure, or sensitive office spaces.

With Type 2 audits being conducted over several months, it is important that teams implement all required security controls and maintain these standards over time. Security teams may consider leveraging tools such as Dash ComplyOps to automate internal controls and gather essential security information for SOC 2 assessment.

Build And Automate Your SOC 2 Security Program

What Do Auditors Do with This Information?

An assessment firm may ask for security information to get a better idea of your organization’s security program and evaluate internal controls for SOC 2.

Since SOC 2 Type 2 is assessed over a period of time (generally 6 months), the assessment firm may continue to ask your company for further information and security evidence. The assessor may use this information to evaluate your team’s security posture and controls over this audit period.

After the audit period, the assessment firm will write a SOC 2 report summarizing your organization’s implemented internal controls. This SOC 2 report can be shared with partners, clients, and key stakeholders as security program validation.

The assessor uses your provided information to determine three core items:

How Your Team Can Prepare for SOC 2 Audit

When going through a SOC 2 audit or readiness assessment, assessors want to see that your organization has an effective security program and that you are actually following through on the standards your team has put into place.

Your team can consider taking the following steps when preparing for SOC 2 audit:

Dash ComplyOps helps teams streamline and automate SOC 2 process. Software vendors, startups, and consultants all leverage Dash to build SOC 2 administrative policies and procedures, enforce policies through continuous compliance monitoring, and gather all evidence needed for SOC 2 audit.

Achieve SOC 2 Type 2 In The Cloud

Build A Sustainable Security Program and Achieve SOC 2 Report