AUDIT EVIDENCE -SOC 2

  When it Comes to a SOC 2 Report

In terms of common audit evidence, there are three categories:

1. Governance and Risk Management

This includes evidence such as:

• An organizational chart
• Policies and procedures
• Leadership meetings to govern the organization (e.g., information risk council)
• Risk assessment and risk register
• Penetration tests and vulnerability scans, along with evidence that actions are being taken based on those results
• Incident response and business continuity policies and procedures, including tabletop exercises
• Vendor risk assessments

2. Human Resources (HR)

Many do not realize that SOC 2 includes HR controls. HR will need to provide:

• Employee roster
• Documentation for employee onboarding and offboarding
• New hire checklist compliance
• Onboarding processes, including background checks and performance reviews
• Employee handbook
• Evidence of security awareness training

3. Technical Controls

This includes evidence such as:

• IT asset inventory
• Network and data flow diagrams
• Access lists for networks, key systems, and cloud environments
• Configuration settings for hardware, laptops, and password policies
• Multifactor authentication status
• Endpoint protection measures (e.g., antivirus software on laptops)
• System development life cycle documentation (e.g., change tickets, QA and testing evidence)
• Monitoring and alert configurations
• Backup procedures for system recovery

Audit Workflow

The majority of your audit will involve providing audit evidence to the auditor, reviewing that evidence, and engaging in a cycle of acceptance or rejection. Here's a typical workflow between you and the auditor:

1. Information Request: The auditor will send you a SOC 2 request list, detailing nearly 100 different requests.
2. Gather Evidence: You will interpret these requests, gather screenshots of configuration settings, download access lists, and retrieve policies.
3. Upload Evidence: Typically, you will upload these documents to a cloud repository like ShareFile or OneDrive.
4. Review and Feedback: The auditor will review each file and determine whether to accept or reject the evidence. If accepted, you move forward. If rejected, you will receive an email detailing additional information needed.

Common Challenges

• File Naming: Ensure files are named accurately to avoid confusion.
• Feedback Visibility: Lack of visibility into whether the auditor has reviewed your evidence can be frustrating.
• Coordination: Coordinating with stakeholders (e.g., engineers) to gather necessary evidence can be complex.

Best Practices

1. Ask Your Auditor: Clarify how information will be exchanged.
2. Request Process: Understand the process for requesting evidence.
3. Feedback Process: Ensure you know how feedback will be provided and what constitutes acceptable evidence.

*************