Getting by Without SOC 2 Type II

There are two things we need to say right away: (1) we are believers in SOC 2 Type II - we think it's driven positive change in cybersecurity and beyond, and (2) it sure is a pain when someone asks you if you are SOC 2 Type II compliant and you don't have a good answer for them.

In this post, we'll explore what to do when you are asked (perhaps by an enterprise customer) if you have an unqualified SOC 2 Type II audit report.  If you do have one (a few of you), you can stop reading here -- but if you don't (most of you), please read on for advice about how to respond.

1. Compensating Controls

Just because you haven't been through a SOC 2 Type II audit doesn't mean that you don't have many of the controls that would be required by that type of audit.  To present a compelling storyline about how you take security seriously (even though you don't have a clean SOC 2 Type II report), we recommend a cohesive explanation that includes:

  • Policies and Plans:  a good start would be an InfoSec Policy, an Acceptable Use Policy, a Disaster Recovery Policy, and an Employee Handbook.  Many other types of policies and plans exist (Business Continuity Plan, Change Management Policy, Data Retention Policy, etc), but when you are just getting organized on policies and plans, you can often tuck some of the lower-priority policies into the policy documents that you are choosing to focus on.
  • Implementation:  implement the plans and policies.  For real.  If you say that every workstation uses encryption at rest, make sure that you've rolled out configuration changes that make that real/truthful.  Even if "rolling out configuration changes" in your organization is really just something as simple as sending everyone instructions for how to enable encryption, and asking them to send in a screenshot proving that they've done so.  That's not optimal, of course, but it's better than nothing.
  • Audit Yourself:  you hear that right.  Audit yourself.  Why?  Two reasons.  First, you'll find out that your team isn't quite as compliant with your policies as you thought -- and you'll learn more about why that's the case, and how to adapt to get closer to 100% compliance.  Second, just the process of auditing yourself will teach you what reporting mechanisms you have (and don't have!) towards proving that you are following your policies.  There is a very good chance that there will end up being one or more policy elements for which you have absolutely no way at all to verify compliance -- take that as your wakeup call to put some such mechanism in place.

2. Promise an Audit Start Date

If demonstrating that you have sound policies and plans, and that you actually "make good" on them is not enough, consider promising a start date for when you'll engage a professional firm to begin a formal SOC 2 Type II audit.  Perhaps the commitment would be for 6 months from now, perhaps 9 months from now.  It's situation-specific.  The point is, you work to advance the conversation to a point where both sides acknowledge the reality that you don't currently have a SOC 2 Type II report, but that conceptually you are agreeing to move towards getting one.

Note that in this section we're talking about promising a start date.  That is very different than promising the date that the report will land, and extremely different from promising that the report will be an unqualified opinion (a "clean" report).  You might end up having to make those promises too, but beware that you are putting yourself in the pressure cooker if you do.  No audit process begins with a preemptive promise from the auditor that the resulting report will be clean.  That wouldn't be much of an audit at all.  So, try to resist promising an outcome that neither you nor the auditor have a reasonable way to guarantee.

3. Promise a Report Date

If promising to begin a professional audit by a certain date isn't enough, you may need to commit to a completion date of a professional audit.  We're very familiar with SOC 2 Type II audits that involve a 1-2mo pre-audit period where an auditor prepares you for the process, including previews of the types of activities that will occur in the audit.  During that period, we typically see companies scrambling to "get ready" for the audit -- given the knowledge that they've absorbed from the auditor about the types of things that will likely be looked at very closely in the audit.  Following the pre-audit (which we've heard called different things), there is an audit period.  Perhaps six months.  During that period, the auditor will typically be looking for indications that you are (or aren't!) successfully sustaining the controls that your policies and plans say you'll abide by.

So, when companies get into a pinch where they need to rapidly engage an auditor, speed through the pre-audit and audit, and get to a report, it often ends up being an 8 month or 9 month process.  And that's if everything goes smoothly.  If you are being pressed to commit to a date for when your audit will be complete, we would highly recommend against promising anything faster than that type of timeframe.  Auditors tend to not look favorably on a client that presses them to merely go through the motions (and quickly, at that) -- and that's not the approach we'd recommend.

4. Promise an Unqualified SOC 2 Type II Opinion

Do some soul searching before you do this.  Are you certain that the other party will not accept any of the prior alternatives?  Pre-commiting that you will proceed through an audit (which you may never have been through before), and pre-commiting that you'll come out of it squeeky clean, is bold.  Very bold.  Candidly, it's a risk.  When you engage an auditor, they are absolutely not required to conclude with an unqualified opinion.  They may very well uncover behaviors in your company that demonstrate that you are unable to sustainably maintain the controls that you committed to in your policies and plans.

And, if that occurs, the auditor has a professional and ethical obligation to surface that issue.  There is some discretion in terms of how that issue gets surfaced, but there is no guarantee that it doesn't end up in your SOC 2 Type II report as a qualification.

If you absolutely must promise a date by which you will cleanly complete a SOC 2 Type II audit, buy as much time as you possibly can.  A year would be enough that if you had a rough start to an initial audit attempt, you could find a way to restart the process with greater vigor.  We certainly wouldn't recommend putting your reputation on the line for achieving a clean audit report on a timeline that gives you one and only one chance to "be perfect" on the first try.

SOC 2 Type II: Getting By Without It

As we mentioned at the top, we genuinely value SOC 2 Type II.  We think it has done much to add checks and balances to the claims that companies make about their cybersecurity practices (and other practices too).  And overall, it has led companies to improve their practices in significant ways that reduce cyber risk.  However, all of that said, there is still a reality that many small companies get asked about SOC 2 Type II long before they have found the time, energy, and resources to pursue an audit.  And that's why this article exists: as a stop-gap, to help small businesses figure out how to productively engage in a conversation where this tough question gets asked, and you don't immediately have the perfect answer.