SOC 2: starting your audit process

Maintain the security of your customer’s data with a globally recognized compliance standard.

November 9, 2022

photo of two coworkers having a conversation on bleachers inside of an office presentation room.

SOC 2 is a voluntary compliance standard that companies should meet when managing customer data. Based on a set of trust service criteria, SOC 2 outlines the minimum requirements needed to maintain the security of your customers. 

Below, we cover the major steps in scoping and selecting a SOC 2 auditor:

  • Determine your trust services criteria 
  • Get internal buy-in
  • Select an external auditor
  • Perform a readiness assessment
  • Build a SOC report 


Determine your trust services criteria

The Trust Services Criteria (TSC) was developed by the ASEC Trust Integrity Task Force used to evaluate and report on the information and system controls in attestation or consulting engagements. The five main criteria are:

  • Security
  • Availability
  • Processing integrity 
  • Confidentiality
  • Privacy

Out of the five criteria, the only one required to meet SOC 2 compliance is security. If the other criteria are relevant to a company’s services, a company can opt to include them in its audit. 

Discuss the criteria and any contractual obligations with internal stakeholders and verify compliance with your auditor to determine the best approach.

Get internal buy-in

When embarking on any type of audit, it’s necessary to get internal buy-in from key stakeholders. Multiple individuals in an organization will contribute throughout the SOC 2 audit, from scoping to collecting evidence, which makes it critical for everyone to be on the same page. 

Streamline your SOC 2 compliance by informing internal stakeholders about what’s needed from them and at what stages they will be involved.

Define the audit scope

SOC 2 audits are tailored to a company’s specific needs. For example, an audit can be performed on the entire company level or a specific area of operations. 

An audit scope also outlines the period covered by the audit and any existing security controls and systems. Use the following questions to set the stage for your audit:

  • Will physical offices be included in the audit? 
  • Where is your client’s collected data hosted (i.e., public or private cloud)?
  • How are system capacity requirements monitored?
  • Do you maintain external digital storage media that stores client data? 
  • Where do you maintain system backups and records?
  • Are there any intrusion detection or prevention systems (IDS/IPS)?


Select an external auditor 

Once your company is aligned on the upcoming SOC 2 compliance audit, the next step is to select an external auditor to facilitate the process. There are four key factors to consider when deciding on the right auditor:

  • Quality: Evaluate the auditor’s background, as well as any client testimonials
  • Experience: Look for an auditor with experience in your industry and with similar companies
  • Cost: While cost depends on the company size and scope, establish a baseline by getting quotes from a few providers
  • Personality fit: Find an auditor that aligns with your company and workflow, and makes it easier to perform routine audits in the following years


Perform a readiness assessment

Auditors will start by guiding your company through a readiness assessment, which provides a top-down overview of audit requirements and collects details about your current security process. 

The readiness assessment also reveals any gaps or other information that should be prepared for your final SOC 2 audit report.

Note that companies, not auditors, are responsible for the policies, processes, and controls implemented throughout the audit process. 

Build a SOC report 

At the end of an audit, which can take as long as several months, your company will receive a detailed SOC 2 report. The report typically comprises five main parts:

  • Control environment
  • Risk assessment
  • Information and communication 
  • Monitoring
  • Control activities

A company’s SOC 2 compliance report may be required by potential vendors or customers. For this reason, it’s recommended to schedule a SOC 2 audit once a year to include any significant security changes.

This ensures your compliance reports are aligned with your current operations and helps increase trust between your company and the target market.

To request a demo for OneTrust’s Certification Automation tool, go here.

You may also like


Third-Party Risk

Staying vigilant: 7 practical tips for ongoing third-party risk monitoring

In this webinar, we'll share seven practical tips for effective third-party risk monitoring, helping you to identify new risks and take timely action to protect your business.

August 02, 2023

Learn more


Third-Party Risk

Automating third-party management workflows: 5 ways to drive alignment across teams

Join us as we explore how automating third-party management workflows streamlines processes, drives alignment across teams, and reduces reduntant work.

July 19, 2023

Learn more


Third-Party Risk

Are your third parties a privacy compliance liability? 5 tips to reduce your exposure

Join our webinar and learn how to create an effective, privacy-focused third-party risk management (TPRM) program that streamlines recordkeeping and reduces your risk exposure.

July 05, 2023

Learn more