SOC 2 Compliance Checklist: Every Step Broken Down

So… How do I start?

I’ve been hearing from various people from service organization that they were interested in learning about steps they need to take to get off the ground. In the SOC 2 compliance checklist you will find the breakdowns of the majority of the things organizations should be doing now, and some things to think about down the line as you progress.

This SOC 2 compliance checklist reporting is geared towards service organizations that have never undergone this process and will be taking up the task this coming year.

 A more detailed version geared towards companies that have some experience being audited will be coming down the line.

Do your research:

You have already come across our site, so you have begun the process of researching SOC 2 and the responsibilities that come with performing one. 

I would continue to read more on SOC 2 related information as well, as most of the knowledge is available on this website.

Find a few CPA firms that perform over 85+ SOC 2 Reports annually:

  •  

You will want to research a number of firms that could perform and sign off on your SOC Report, which, only CPA firms are permitted to do. 

This process should be handled with the utmost care as you are putting a lot of trust into the company you choose, they can make or break you.

Some things to consider:
  • Narrow your search.
  • Based upon how you felt about each company, the people, the methodology, previous experience, team background, success rate, recommendations, and of course – Cost.  You should narrow down your search to the top 2 companies.
  • Pricing for a SOC report can vary greatly depending upon the company performing the work, the size of your organization, and the audit scope. On average, a company should be expected to spend between $15,000-$150,000 for a Type II audit. The fees can changed based on the organization, application, complexity, industry and additional parameters.
  • You should look for a fixed rate fee so there is no potential for them to raise rates on you as the project progresses.
  • Be aware of further expenses required for completing the project such as Penetration test, tools and employees' working hours.
  • Consultancy  – highly recommended to advise with an expert to escort you throughout the project lifecycle. It can save time from your c-suite and leverage external expertise. Do not compromise and set a clear Jon requirement . In case you have a compliance department, it may not be relevant.
  •  

Define the scope:

Once you have engaged a firm to perform the work, make sure you define the scope of the audit early on in the process.

 Not doing so could lead to excessive delays and potential cost overruns. It's in the startup responsibility to choose the Trust Service Criteria relevant for you (Security is mandatory).

 

Define your control objectives and activities:

 

In conjunction with your CPA firm, define the controls and test steps to be tested and make sure that they have been reviewed by process owners and any of the stakeholders at the CPA firm who may be reviewing and/or signing off on the report to ensure everyone is in agreeance. 

If this isn’t completed prior to testing, you are asking for a world of trouble.

Perform a Readiness Assessment:

 

You can either choose to perform a readiness assessment on your own, based upon the test steps already defined or, if you do not have the capacity or ability to do so internally, you can look towards either the firm performing your review or another company who is skilled in preparing companies for SOC 2 audits.

Pass the Audit attestation:

Prepare the evidence: read carefully the testing procedures determined by your auditor. There should be different type of evidence (transaction, configuration, population, inquiry, observation, etc.). 

Make sure to take screenshots with the time of the OS.

These SOC 2 compliance checklist steps laid out here will set you on your way to getting your SOC 2 started up and going and should help to guide you through the toughest parts of the process. 

Once you have completed all of the steps I have laid out, you should be able to rely on the knowledge of your CPA firm to take you through the finish line.

Continue exploring the SOC 2 Academy I