Everything You Need to Know about a SOC 2 Control Matrix
At Practical Assurance, we’re all about ensuring you have a successful, smooth, and cost effective SOC 2 audit process. Designing an…
At Practical Assurance, we’re all about ensuring you have a successful, smooth, and cost effective SOC 2 audit process. Designing an appropriate control matrix from the start dovetails into that. Presenting this fully thought-out and verified document to auditors before the audit process begins helps you demonstrate to the auditor from the start that your company understands and is serious about security compliance. It sets the tone for the audit by building the auditor’s confidence in your organization.
Having the proper documentation in hand may even help you find the right auditor. If you have the control matrix prepared, you can show it to an auditor prior to signing an engagement letter. Ask him/her if he/she sees any red flags or anything that gives him/her pause or concern. Because there’s some subjectivity in how auditors evaluate controls, if you do find he/she has concern you have an opportunity to identify a different auditor that may better align with your mentality and approach. That auditioning process also helps set you up for success in the long run.
When an auditor is evaluating controls, he/she will generally require three documents:
The management attestation letter, which is simply a boilerplate letter from the c-suite that describes the controls in use.
The system description, which describes how your system works and the key controls in place.
The control matrix, which is a formalized document that matches AICPA criteria to the controls your company has in place. It defines up front what is going to be tested. The auditor in turn adds language about how he/she tested these controls.
Many times, auditors can provide templates for the first two elements of documentation and/or write them for you. However, your company will need to craft the control matrix. Let’s dive into what you need to know about creating this document.
What’s a control?
If you haven’t been audited previously, you may not be familiar with this language. Controls fall into a trio of categories that pertain to your information security approach: technical settings (such as authentication settings or passwords), policies, and processes (which defines how something is done and the frequency at which it’s completed).
What’s a control matrix?
A control matrix provides clear and concise language that defines how your company is addressing risks. The controls you choose to highlight should align with the points of focus your company has chosen to emphasize among the 200 that emerge from the SOC 2 common criteria. You have some flexibility on which controls your company highlights based on your organization’s identity; however, you should keep in mind that these controls should still be in keeping with the best practices of security compliance and your industry. You’ll also be required to demonstrate which audit artifacts you’ll be supplying to demonstrate that control is taking place. As we know, the name of the game in SOC 2 auditing and compliance is documentation, so you’ll need to have a list of items you can provide to the auditor as proof. This proof could include screenshots of network security dashboards, screenshots of server dashboards, vulnerability scan reports, or external pentesting reports, to name a few.
How do auditors evaluate controls?
First, auditors are on the lookout for timeliness and consistency. The language you include in the control matrix sets precedence here. For example, if you indicate your company is doing something quarterly, the auditor will look to ensure it’s occurring at the frequency. Choosing a word like “periodically” gives you a lot more flexibility in terms of when your controls can and should occur according to the auditor.
As part of the audit, the auditor will also be trying to confirm that the controls are fully integrated and are part of your normal business operations. Because of this, it’s wise to have policies and procedures match what’s happening in your business, rather than report an aspirational version of what you want to occur (and you think will look good) but isn’t occurring. Keep in mind that the auditor will likely interview process owners, and he/she will want to see the answers match what you’ve documented in the control matrix.
Finally, the auditor will be evaluating whether the controls in place adequately address the risks outlined and whether they align with commonly accepted best practices in the field. There’s a right time and a wrong time to customize practices in your business and a time to follow the industry’s lead. As security compliance experts, Practical Assurance can help guide you through this.
How Practical Assurance Can Help
Practical Assurance has helped so many clients prepare for and successfully pass audits, we’ve developed control matrix language that may apply or can easily be adapted to your needs. Additionally, our tool can be used to perform internal audits on your control processes, which the auditor will look for to make sure your company is keeping up to date and evolving with changing internal and external circumstances. If you’re ready to learn more about how our app or consulting services can help, contact Practical Assurance today.