"What is the fastest path to receive the final report?"
This question is one of the very first questions I get to hear from startups. In this article, I will try to explain the planning, different phases, and the estimated timeline. Let's start!
The readiness assessment is the phase in which your representative (CEO / CTO / CISO / VP R&D / Compliance Manager or external Consultant, depending on the company maturity) and the auditor will meet to kick off the project. The subject matter will be presented and the project scope will be discussed and decided.
In a short – it's an analysis between the current state to the desired state (read more in ISACA) A series of meeting are preformed to make an assessment for the organization and the platform about the different aspects that agreed before, in our example we explore 'Security' TSC (Trust Criteria Criteria).
Security covers the logical and physical access, but since you are based on a service
organization, let's say AWS, the physical access to the infrastructure (e.g. datacenter)
enforced by AWS in accordance with their policy.
As a Compensating Control, the startup needs to review Amazon SOC 2 type 2 and check on the CUCEs paragraph (Complementary User Entity Controls) which are recommendation for the startup to verify and implement.
On the other hand, logical access to the different environments are created, maintain, and revoked by the IT, so expect of deep dive to understand the architecture of access management, security groups, permissions and privileges, and granting and revoking access for users.
Additionally, other subjects related to security (such as MFA, Vault, Authentication, Anti-malware, Active Directory, SSO, Patch Management, Encryption, Logs, Penetration Test, Vulnerability scans, and more) are discussed and analyzed to finds gaps between the current status of your platform to the AICPA SOC Framework.
Organizational procedures are also presented as part of the process. The Final deliveries are Control List and Identified Gaps that need to be remediated.
EST: 1-3 months
Period the company needs to remediate all the Identified gaps in order to start the reporting period in which the effectiveness of the controls will be examined.
In other words, address all the issues that came up from the Gap Analysis and fixing them all.
EST: 1-6 months
The SOC 2 declares a minimum period of 6 to 12 months in which the controls need to operate properly. The Auditor address the process, procedures, events, and documentation from the period only.
EST: 3-12 months
The moment we have all been waiting for – the beginning of the audit.
The auditor (CPA firm) and the company will meet for and go through the Controls, gathering evidence showing the policies are enforced and everything operates as it should. Evidence can be a screenshot, word, pdf, excel, email, etc.
The auditor can ask for any prove that answers the control, and the startup need to supply it so make sure to review carefully the controls agreed.
Deviations: In case the auditor finds a problem in one of your processes he can decide on a deviation that will be noted in the report and claim for management repose.
The auditor opinion attestation has 2 states: qualified or unqualified.
SOC 2 unqualified opinion means that the examination passed successfully.
On the contrary, qualified opinion means the company failed to pass the audit.
EST: 1 – 4 months
Based on my personal experience, new engagements can be segregated into two groups: The need-it-now and the lets-do-that-right.
The first group is the one that has a big contract on the table and SOC 2 is the only barrier for signing on the contract.
The common ground is they in a rush, they are not through and they may pay more. Consequently, they most likely to have deviations during the testing procedure.
The second group is the ones that want to be prepared in advance, as part of their security and growth strategy. They are more relaxed, go in-depth, and really want to build a solid infrastructure for the next years and stand in the highest standards of compliance.
In a short assessment, you understand it takes time! You need to understand your company, your platform, the framework, and the auditor terms.
Hopefully now you have a better understanding of the Process and Timeline and can do the math to assess how much time it will take for your company.
I'm here to answer any questions in case you still have inquiries, send me a message and I will do my best to respond shortly.
Good Luck!