Q: What is the process of the SOC 2 assessment?
A: The SOC 2 Type 2 assessment process starts with an organization defining the audit scope and objectives, such as what we want to learn from the audit.
We sit down with the auditors to review and make sure that priorities and expectations are clear for all parties involved. Then, with the scope in mind, the auditors will create a plan and set up a project timeline. You lay out the dates and establish the deadlines where you need to have your information presented to them.
After that, it’s time to start testing the security controls. The auditor will ask for tons of documentation and will request populations from which they will pull samples to test. There's a lot of documentation back and forth that they're requesting. These testing areas include most of the business units across the organization, to some extent at least.
The auditor dives in and tests the controls for their design, making sure they're designed appropriately and ensuring that they are effectively working how they're supposed to be. Then, there's more back and forth if evidence is missing. Or sometimes, if the evidence isn't clear, we'll often just provide explanations around the things that were submitted. And sometimes, we just have to talk through certain controls with them.
Next comes the documentation of the results. The auditors will record the results, issue a draft report, and send it back to the organization that's getting audited. At that point, you can make any edits or clarify anything if some of their information is incorrect.
And then they deliver the final report. They'll give us a written evaluation of the controls and share a final opinion on whether they think that we have our controls suitably designed and that they are ensuring data security.