Practical Assurance

Share this post

6 Ways to Fail a SOC 2 Type II Audit

practicalassurance.substack.com

6 Ways to Fail a SOC 2 Type II Audit

Practical Assurance
Dec 15, 2022
Share

One of the best ways to learn how to do something is to learn what not to do. At Practical Assurance, we talk a lot about how to prepare for a successful SOC 2 audit. But the best way to show you how to prepare for success is to tell you the top ways companies fail SOC 2 audits.

Here are our top six ways to fail a SOC 2 audit, based on our experience with customers of all sizes. 

Thanks for reading Practical Assurance! Subscribe for free to receive new posts and support my work.

6. Don’t Get the Right People Involved

A lot of companies don’t take SOC 2 audits seriously enough, and it shows in who they choose to run the show. Like any successful project, an SOC 2 audit requires thoughtful leadership and process owners. It also requires a good, central project coordinator who can ensure all checkboxes are met across the company. There needs to be ownership and responsibility, and this needs to be assigned accordingly from the outset of the project. 

But it also can’t be relegated to a single person. The entire company needs to have buy-in or the audit will fail. All staff members need to be properly educated and there needs to be an effective internal launch to ensure SOC 2 success.

5. Don’t Give Ample Time to Preparation 

Your high school math teacher was probably right: you can’t cram all the necessary knowledge into your brain the night before a test. The same is true of SOC 2 compliance: you won’t be able to cram the day or even the week before the readiness audit and pass. 

Organizational change is difficult and it takes time. Overhauling your processes to make them compliant isn’t a one-day project. You have to give yourself enough time to properly prepare and make changes.

4. Don’t Organize Well Enough

It’s really easy to say, “We’re going to be SOC 2 compliant!” But without organization and planning, you’re setting yourself up for abject failure. Imagine if your IT team said they were going to introduce an entirely new technology, but didn’t have a timeline, scope, budget, or project goals laid out. You would know from the start that it wasn’t going to happen.

The same is true of your SOC 2 compliance. You must be methodical and deliberate, with project management, including fully fleshed-out schedules and goals. There’s no way you can gather the audit evidence during the audit. You have to be prepared and organized. 

3. Make a Lot of Assumptions

Even if members of your team have done SOC 2 compliance audits or preparation in the past, it doesn’t mean that your audit is going to go well. In fact, this former experience can set you up for disappointment. 

No two audit firms are the same. Some may emphasize different aspects of compliance over others. And each individual auditor will also approach the audit differently. Some may be more rigorous than others. They can also change their ideology over time, and even if you have the same audit firm or auditor as a previous audit, you could be in for blindsiding if you assume you know what they’re going to want.

Also, don’t think that a SOC 2 audit is like any other audit. Clearly, it’s not like a tax or financial audit, but it’s also very different from other security audits, such as ISO 27001. The requirements are different and the scope is different. Assuming you know what’s going to happen just because you’ve done something similar in the past is a surefire way to fail your SOC 2 audit.

2. Don’t Focus on Your Audit Scope 

This is similar to being organized, but if you want your audit to succeed, you need to focus on the scope of the audit upfront. You’ll need to take a look at several questions, such as:

  • Which systems and applications need to be involved? 

  • Which networks will you be looking at? 

  • Which third parties are relevant to the audit? 

You can’t rely on the audit firm to create this scope for you. In fact, you’ll need to communicate the scope of your compliance program to the audit firm as part of the audit. 

1. Be Overly Confident or Nonchalant

If you don’t take your SOC 2 audit seriously, you’re going to fail it. Brushing off requirements, not focusing on details, or going in blind are all ways you’re setting yourself up to fail. If you’ve got anyone on your team who is expressing that they think the audit is stupid, you’re in trouble. 

At the same time, if your team thinks the audit is going to be easy, you’re also in trouble. You can’t talk your way through an audit or just check a few boxes and succeed. Your team needs to be fully honest about your level of preparation and preparedness. You need to be ready to communicate with your auditor. Don’t take the SOC 2 audit lightly if you want to pass. 

All of these rookie mistakes are easy to fall into, but with proper guidance, you can ensure that your SOC 2 audit will be a success.

—

Practical Assurance offers penetration testing services and SOC 2 prep tailored to small to medium businesses. Contact us to get started.

Thanks for reading Practical Assurance! Subscribe for free to receive new posts and support my work.

Share
Top
New

No posts

Ready for more?

© 2023 Practical Assurance
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing