Obstacles can thwart your efforts to achieve and sustain SOC 2 compliance at any point in your process. Based on discussions with auditors and compliance managers, here are a few common SOC 2 audit obstacles and some advice to help avoid them.
Untimely auditor engagement. Especially if this is your first SOC 2 audit, you must select and engage an auditor as early as possible in your preparations. Failure to do so almost guarantees delays due to the need to address or re-address requirements you and your team missed without an auditor’s help.
Fortunately, the best auditors can and will help with this process and even insist upon it. Unfortunately, not all auditors are the best. Some will claim to generate a SOC 2 compliance report quickly, and some can do so. However, the faster a report is produced, the more likely it is to be deemed inadequate by one or more of the larger or more experienced companies yours wants to do business with.
Inadequate auditor alignment. Picking the wrong auditor can be even more of an obstacle than not choosing one soon enough. You need an auditor who understands your company, its primary business, and its specific needs. And you need to avoid being presented with senior, experienced people in the initial sales meetings, then being handed off to junior people with little to no experience after the contract is signed. At the very least, make sure your chosen auditor firm is certified to perform SOC 2 audits and can provide credible customer references. (For more, see SOC 2 Compliance: How to Choose an Auditor.)
Your policies, procedures, processes, and relevant monitoring and reporting systems must align closely with your chosen auditor. Gaps between the data you supply and the formats your auditor expects can delay accurate and timely compliance reporting – or make it impossible. Again, the right auditor can provide guidance, including samples or templates.
Inadequate preparation. This may be the biggest and most challenging obstacle to your SOC 2 compliance journey. Before your audit, you must comprehensively evaluate your relevant policies, procedures, processes, and systems. And you must understand and address all significant gaps.
This challenge applies whether this is your first or merely your latest audit. “The first time you finish your first SOC 2 audit, you’re like, “Oh, my God, I’m done,” said Liam Collins, Trust Practice Co-Lead at Armanino LLP, in his “Everything Compliance” podcast interview. “But you’re already in the coverage period for your next audit. And you realize, “oh my God, I’ve got to keep doing this.” And, he added, you’ve got to get better at preparing because each annual audit will be different from its predecessor.
Your preparations must also include all of the right stakeholders in your organization and incorporate plans to deal with any disruptions in core operations necessitated by the audit at hand. (For more, see SOC 2 Compliance: Four Actions to Make Your Audit Successful.)
You must prepare with a primary focus on your upcoming audit. But you must also prepare in ways that minimize or eliminate the need to start from scratch in advance of every succeeding audit. Of course, a superior auditor can and will guide you, but you will also need policies, procedures, processes, and technologies that enable continuous compliance, verifiable on demand.
Inadequate budgeting. Remember the adage, “Fast, Cheap, Good – Pick Two.” Also, remember the title of the Public Enemy song, “Don’t Believe the Hype.” Despite the declarations and promises of multiple vendors and some auditing firms, it is nearly impossible to achieve credible, comprehensive SOC 2 compliance in weeks for a handful of dollars. Liam of Armanino has found that companies should plan for a successful SOC 2 Type 1 audit to take up to three months, while a SOC 2 Type 2 audit can take six months. Much depends on your company’s readiness, but that can only be determined by a detailed pre-audit assessment assisted by an auditor. That task can take a month or more, depending on the size of your environment and the quality of your incumbent policies, procedures, and processes.