If your customers want proof that you handle data securely, a SOC 2® report provides one of your best options. This industry standard continues to gain momentum as a way for companies to ensure that every vendor in their supply chain maintains proper security controls. For many companies, a SOC 2® report has become a requirement to win and keep contracts with key clients.
Getting your SOC 2® report isn’t a quick decision or process, so you’ll have to make a plan for how you will prepare for a SOC 2® exam. SOC 2® Type II represents a significant investment of time and resources, as the process typically takes at least a year, culminating with an audit by a Certified Public Account (CPA) firm. (If you’re unfamiliar with the overall SOC 2® process, read this blog for a summary.)
As you consider how to prepare for a SOC 2® exam, you have a couple of key decisions to make:
Should you hire a readiness consultant or try to prepare for the exam on your own?
Should you take the auditing firm’s offer to handle both readiness and the actual audit?
Facts to Consider Before a SOC 2® Exam
After helping dozens of companies prepare for their SOC 2® exams, Pratum has seen all the possible scenarios for handling this critical process. Here are several key points to keep in mind.
- DIY preparation is more work than you think. As you consider how much money you’ll save by not paying a readiness consultant, be sure to factor in the extra workload that SOC 2® prep will put on your internal team. To keep up with all the other work that keeps happening, you’ll probably have to bring in additional temp help or postpone some projects.
- An unfavorable SOC 2® report is costly. Auditors report what they find during the exam. They won’t comment on how you plan to fix any shortcomings in your security controls, and the process does not include a grace period for you to correct gaps before the report is issued. So if you have gaps, potential customers will read about them when they ask to see your SOC 2® report. (The report includes a place known as “Management’s Response” where you can comment on noted deficiencies, but the auditors won’t weigh in on your statements.) After you fix gaps, you’ll have to pay for another audit to get a report that shows that you now handle every area acceptably. The cost of a second audit will exceed what you would’ve paid a readiness consultant to help you get the desired result on the first try. Plus, a second Type II audit will probably take at least another 6 months. Are your current and potential customers willing to wait that long for you to get a SOC 2® report that satisfies them?
- All-in-one services are rarely experts in everything. Some large CPA firms also offer cybersecurity services and will offer to help with both readiness and the audit. For simplicity’s sake, hiring one firm to handle the entire process certainly sounds attractive. (SOC 2® rules dictate that only CPA firms can perform the exams, so only CPAs can offer all-in-one service.) But the staffs of accounting firms rarely provide the deep expertise you get from a dedicated cybersecurity consulting firm. We’ve seen the best SOC 2® results come by teaming a cybersecurity consultant and a CPA firm that regularly work together on engagements. Because the teams collaborate frequently, you get all the benefits of a smooth process while tapping the expertise of pros from each category.
- Cybersecurity consultants add insights from dozens of other clients. Consulting teams like Pratum’s take a deep dive into your business and its specific risk factors to help you develop the most applicable control sets during SOC 2® scoping. Their recommendations include best practices accumulated through engagements with numerous other clients. When you’re focused on getting your SOC 2® exam right the first time, you want support from experts that prepare dozens of companies for SOC 2® each year.
- Proper scoping advice determines the outcome. Uninformed scoping can make a SOC 2® engagement harder, longer and more expensive than it needs to be. Readiness consultants help ensure that your engagement covers exactly what it needs to—but no more. A good consultant will have solid relationships with the auditors and will bring them into the scoping process to ensure that all sides agree on the rules of engagement before the work starts. If the scoping is inaccurate or vague, the auditors may dive into parts of your company that they don’t need to look at. Poor scoping also may leave out key elements that your clients want to see in the final report, which means you could spend a lot of money generating a report that doesn’t even speak to what your customers want to know.
- Readiness consultants know what’s on the test. Nobody likes to guess about what they’ll be reviewed on. Experienced readiness consultants have dealt with enough auditors to know what they’re going to ask, what information they’re going to request during the fieldwork, etc. In many cases, readiness consultants work with the same specific people at the same CPA firms on multiple occasions. This familiarity between them makes your engagement go even more smoothly.
- You need an advocate during the exam. Even if you’re working with a reputable, well-intentioned auditor, you’ll almost inevitably have some disagreements. In most SOC 2® engagements, clients almost always feel that the auditors are exceeding the agreed-upon scope in some areas. Or the client might feel that the auditor is incorrectly declaring a control insufficient because they don’t understand the scenario in which it’s being used. A good readiness consultant maintains a friendly relationship with the auditor—but makes clear that their job is to protect your interests. They will present your case to the auditor and provide supporting information to show them your point of view.
If you’re considering how to prepare for a SOC 2® exam, contact Pratum today to learn more about how we can help you plan an engagement that’s efficient and effective in growing your business.