ISO 270001 or SOC 2. Which is right for your business? It’s a common question.
SOC 2 Auditor
What does a SOC 2 auditor do?
An auditor who has been accredited by the AICPA can attest and report on if controls were suitably designed, and effectively implemented during the audit period for an organization. Not all accountants are CPAs, so when hiring an auditor it is important to be sure they are commissioned by the AICPA. The auditor hired must be impartial and unbiased meaning they do not have any relation to governing members of the company’s board or hold any stake in the company themselves (completely independent of the auditee). A SOC 2 auditor can get help from IT or cybersecurity professionals, but will be the one writing the final report on your SOC 2 audit.
Responsibilities during a SOC 2 audit
In all engagements for a SOC 2 attestation, there is a shared responsibility model that is in place between you as a lead implementer, the service auditor, and the organization. That shared responsibility model encompasses trust between all three parties. The auditor will be conducting extensive interviews with employees and other staff in order to collect sufficient and appropriate evidence to write a conclusive report and determine whether the organization meets the requirements for SOC 2 compliance.
Lead implementer
The lead implementer is in charge of the project. They will be responsible for the gap analysis assessment, recommending, reviewing, drafting, designing, and implementing controls, and act as a vital communication line back to the organization. A brief explanation of each step includes:
The gap analysis consists of identifying the controls relevant to the organization and the audit framework specifically, and then comparing the control requirements to the current process in place at the organization. If there is a gap in the requirement and existing process, it is identified as a gap that requires remediation and corrective action to take place to address.
The corrective phase includes the recommending, reviewing, drafting, designing, and implementing of controls as described above. This is one of the most critical steps as it entails correcting and closing out a gap, but more so, it is important that the process implemented to address the control requirement is well suited to the organization, and to meeting the business objectives. Both factors must be considered during this process and go hand in hand.
Service auditor
The service auditors’ duties will be to run point on the engagement from an audit perspective. Their responsibility is to ensure that sufficient, accurate, and appropriate audit evidence is obtained from the customer to support and verify the existence of control processes at the organization to meet control objectives. The auditor’s job is to guide and ensure that the customer is aware of the evidence that needs to be provided, and is notified in a timely manner if additional information or evidence is required. The service auditor will follow the methodology and sampling guide specific to their audit procedures in testing audit evidence. Depending on the frequency of controls, a certain number of samples will be selected, and consistent supporting evidence is needed for each sample – to verify that the control is operated consistently. Additionally, the service auditor needs to have a clear understanding of the organization, their service offering, and the tools used. This is relevant as it may impact how certain controls are tested, and will impact the relevance of evidence obtained in some cases. The service auditor is permitted to, and should perform various audit procedures during the audit process. This includes inquiry, walkthroughs, and evidence collection. Walkthroughs are a great way to observe how a control is operated in the organization, and provides the opportunity to compare the detailed process in a policy to the actual implemented process.