What is a SOC 2 readiness assessment?
A SOC 2 readiness assessment is exactly what the word implies: an assessment that is performed to see if a company or more specifically, the control environment of the company’s product, is ready for a SOC 2 audit. The objective of the report is to summarize the current state of the company’s SOC 2 attestation readiness, including the identification of the relevant controls and noting the extent to which they are currently implemented, whether they have been changed recently and whether they are easily evidenced as operating consistently.
During the readiness assessment, the consultant or in some cases the auditor performs the readiness assessment, which will follow a similar process to an actual SOC 2 audit. This is performed via workshops, interviews, walkthroughs, etc. with different stakeholders from management, which normally would be individuals from DevOps, IT Security, and Human Resources.
Key areas that will be considered when performing an audit readiness assessment:
- Determine whether a Type 1 or a Type 2 will be performed in the future. The type of the review is important in order to determine the level of readiness the company needs to be, when agreeing to perform an actual SOC 2 audit.
- Determine the scope, which includes the Trust Service Criteria and the product. This also includes areas that will not be included in the scope.
- Determine the period of reliance. This is important especially when a SOC 2 Type 2 will be performed. Depending on the gap analysis, the period will be established.
- A gap analysis will be performed by comparing the AICPA SOC 2 framework to the controls that management currently has in place.
- For the controls that are in place, design, implementation and operating effectiveness will be tested. If management chooses to do a Type 1, then only design and implementation will be tested. However, it is recommended that when a readiness assessment is performed, a Type 2 report should be done, unless the company has some financial constraints.
- For controls that are not in place, recommendations will be given on the control design i.e. what controls need to be designed and implemented in order to satisfy the specific SOC 2 criteria.
Gaps identified can be regarded in three ways:
- The control is designed, but not implemented i.e. the control is noted in a policy, but not working in practice.
- The control is designed and implemented but lacks operating effectiveness i.e. the control was not operating effectively during the period of review.
- A control was not in place i.e. there wasn’t a control in place to address the relevant SOC 2 criteria.
Gaps are communicated to management in a SOC 2 readiness report format. The report will provide recommendations for each gap identified and how management should address these gaps. It is recommended that all gaps be addressed before the start of the audit period. Once management has addressed all gaps, the audit period will be established which is normally the first day of the month after all the gaps were addressed. Once the audit period is set, the company will then move into the actual SOC 2 project phase where evidence will be collected over a period of 3 to 12 months for the initiation of a SOC 2 audit.