We've seen many attempts at a SOC 2 compliance checklist over the past few years as more and more companies have become interested in obtaining a SOC 2 audit report. Unfortunately, there are fundamental flaws that we routinely see in these types of checklists. Today we'll dive into the the flaws to watch out for -- ones that could lead to extreme frustration if you were to complete a SOC 2 compliance checklist and later discover (with an auditor present) that you are far from ready for a SOC 2 audit. Here's the scoop.
Every SOC 2 audit engagement should begin with an agreement on scope, aligned with categories defined in the Trust Services Criteria:
If the audit will have a scope, so should any checklist that you consider using to improve your readiness for an audit. A one-size-fits-all checklist is a sure path to a mismatch in scope -- if your checklist only covered Security and Availability, but your eventual audit also covered Confidentiality, there is little chance that your organization is adequately prepared for the audit.
The word "commitment" has a very specific meaning in the context of SOC 2. Here's the definition from AICPA that you should have in mind:
Declarations made by management to customers regarding the performance of one or more systems that provide services or products. Commitments can be communicated in written individualized agreements, standardized contracts, service level agreements, or published statements (for example, a security practices statement). A commitment may relate to one or more trust services categories. Commitments may be made on many different aspects of the service being provided or the product, production, manufacturing, or distribution specifications.
A recurring theme that you should expect in your SOC 2 audit is around what commitments you've made (to customers, partners, etc), and what policies, processes, systems, etc., you are bringing to bear to ensure that you are fulfilling those commitments. Therefore, if you are following a SOC 2 compliance checklist, you'll want to keep an eye out for whether/not the checklist seems to have a concept of factoring in (somehow) your customer commitments. That's a fundamental basis for much of the activity that will occur in the audit.
If you aren't familiar with the Common Criteria for evaluating the effectiveness of controls, you are in good company. Few companies that embark on their first-ever SOC 2 audit have a familiarity with the Common Criteria. The reason we mention them, though, is that if your checklist fails to surface topics related to the Common Criteria there is a very good chance that your SOC 2 compliance checklist is flawed. Here are the Common Criteria sections defined by AICPA:
Notice how these criteria extend far beyond the question of whether you are meeting your customer commitments. The SOC 2 audit process is designed to examine not only the controls themselves, but the process by which the controls are designed, assessed, communicated, and monitored. Your SOC 2 compliance checklist isn't complete without a broad consideration of these factors.
There are quite a few checklists circulating, each of which claim to be a path to prepare for a successful SOC 2 audit. We've yet to see a perfect one, and perhaps that's fine: a checklist that moves you on your way towards a stronger chance of a successful audit is helpful. However, you should evaluate any checklist that you are considering -- by squaring it up with the above factors. By doing so, you'll get a strong sense for how thorough and complete your SOC 2 compliance checklist is. That's what will set your expectations about the extent to which the checklist is actually sufficient to prepare for a SOC 2 examination. Need a hand working through your company's particular situation? Drop us a line, we're glad to help.