Practical Assurance

Share this post

5 Tips for Talking to a SOC 2 Auditor

practicalassurance.substack.com

5 Tips for Talking to a SOC 2 Auditor

Practical Assurance
Dec 28, 2022
Share

SOC 2 auditors are people, too! But there are best practices when it comes to communicating with them. Here are five tips for talking to SOC 2 auditors without being awkward or hampering their work.

Plan What to Talk About Before the Audit Starts

Establish good communication with your auditor early in the process so that, first of all, you know what’s coming, but also so you can make sure to keep those lines of communication open throughout the entire audit. Before the audit starts, make sure to set key guidelines around the audit scope and what third parties will be involved. 

Thanks for reading Practical Assurance! Subscribe for free to receive new posts and support my work.

Have your auditor help you define the risk areas, and communicate any processes you use that may go against industry best practices so they’ll be ready when they come across them. Make sure you can communicate what’s different about your business in a way that the auditor can understand clearly. Finally, communicate with your auditor about anything you’re worried about or any things that may have changed from last year. 

Know What to Talk About During an Audit

Once the auditor has begun the audit process, it doesn’t mean you can clam up and quit communicating. In fact, you and the auditor will probably have many questions that you both want to ask during the audit itself. 

A few common questions we see from auditors during the audit include:

  • Is there a newly discovered system or process?

  • Is there a process or exception that you discovered and fixed recently? 

  • Which risks are you not addressing, and why?

  • Where can the auditor find the most relevant, up-to-date information?

  • What improvements are planned for the future?

Having answers to these questions is a great way to keep up communication during the audit.

Be Ready for Uneasy Situations

SOC 2 compliance audits aren’t meant to be a walk in the park. If they didn’t bring up uncomfortable issues, they wouldn’t be worth having. But you should be prepared to discuss some uneasy issues that may arise. 

One of the biggest glaring examples is what happens if you disagree with the auditor. For instance, if the auditor finds a problem, how is your team going to respond? Similarly, what if the auditor has a suggestion you don’t agree with, or sees a risk that you don’t believe is there? They may ask for documents you don’t think are relevant or focus on controls you think are wrong. How you respond to these situations can be important to the outcome of your audit. 

Prepare Your Team in Advance

One thing about a SOC 2 audit you should be prepared for is that the auditor is going to want to speak to multiple people. This can be a godsend because it means that if the auditor asks an unprepared team member a question, the team member can recommend an expert on the team for the auditor to talk to. Your team needs to be aware that they can ask for clarification or for a little more time to answer a question. Also, they should know that they don’t need to overshare; they just need to answer the question as it’s asked. 

You do need to make sure that your team is prepared and understands policies and procedures backwards and forwards. When they answer questions, those answers need to be consistent with the evidence you’ve provided. You can prepare by writing narratives describing key controls and processes. Don’t be afraid to use the whiteboard to diagram concepts. Also, take good notes during the audit and open tickets for any to-dos that the auditor brings up to keep your team involved. 

Avoid Auditor Pet Peeves

While all auditors have their own flair, there are a few recurring issues we’ve seen them dislike time and again. A few things you should avoid include:

  • Being too controlling

  • Being too “showy” or overly polished

  • Keeping actual employees who run systems from talking to the auditor

  • Changing policies the day before they arrive

  • Being inconsistent with documentation

  • Making up answers

Remember: the auditor isn’t a customer. You don’t have to woo them with expensive dinners or entertainment. You should be friendly and courteous with them but keep their real purpose there in mind. They’re auditing you for compliance with SOC 2, and your job, while they’re there, is to make sure they get everything they need to help you succeed.

—

Practical Assurance offers penetration testing services and SOC 2 prep tailored to small to medium businesses. Contact us to get started.

Thanks for reading Practical Assurance! Subscribe for free to receive new posts and support my work.

Share
Top
New

No posts

Ready for more?

© 2023 Practical Assurance
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing