October 5, 2022
What can and can’t be automated for SOC 2
4 Min Read
Everyone is searching for a simplified SOC 2 experience but there’s some confusion about what can and can’t be automated for SOC 2. It’s not something that can be 100% hands-free.
Reducing your number of daily decisions is a form of automation. It’s how you streamline processes, limit distractions and save time and manpower. By default, manual implies the opposite—especially with SOC 2. As a result, you can’t help but feel a bit panicky as you prepare for what you assume will be a labor-intensive experience that will suck the joy out of your day-to-day tasks. But not all manual tasks are complex.
For example, take a smart coffee machines that consistently deliver a decadent caffeine experience. As a home barista, you can choose between a cappuccino or a basic cup of black, set a program to run or even ask Alexa to do it for you. However, you’re still responsible for installing a coffee pod and filling the water reservoir manually for the machine to complete the task. The hands-on, manual expectations are quick, clear and straightforward, though.
Manual work for SOC 2 is similar. With the right automation, the manual evidence collection tasks are a lot like adding water. You save time and end up with a successful audit to pair with your delicious cup of coffee. Let’s take a look at some examples of what can and can’t be automated for SOC 2.
What can be automated for SOC 2
Most organizations face the same SOC 2 challenge—ensuring their team implements the necessary controls and properly document evidence. Automating evidence tasks saves time, money, and stress.
When searching for SOC 2 software, automated evidence collection and integrations are a high priority.
What can’t be automated for SOC 2
If a software provider claims to automate the entire SOC 2 process, they may not be sharing all the details. In fact, it’s just not possible. Instead ask questions specifically about the following manual tasks.
HR-related tasks like background checks
Most organizations use a third party for background checks. All the information they’re supplied is pulled into whatever HR system they use. Depending on the position in question, background checks may include:
- Criminal records
- Employment history
- Reference checks
- Citizenship status or a work visa
- Credit history
- Social media profiles
- Driving record
- Medical records
Does a SOC 2 auditor require an employee’s traffic ticket from 2012? Of course not. In fact, that’s private information they definitely don’t want in their possession. Auditors want to see evidence that the background check was completed, but not the contents of the check.
Collecting this information manually just makes sense. That way, data requiring redaction or removal is confidently completed. Will you fail your SOC 2 for sharing Bob’s traffic ticket with an auditor? No, but it does increase back and forth communication with your auditor, potentially delaying completion.
Executive management review meetings
Companies typically have executive management meetings or board meetings on a set frequency. These quarterly or semi-annual meetings generally are not run through software. But, they usually have presentations. The decks include company performance, strategy points, and overviews resulting in discussions. Those are documented in meeting minutes. The minutes and the visuals may be stored in the cloud, but an integration won’t pull the evidence a SOC 2 auditor requires.
There’s information in these presentations and confidential notes similar to the background check. A screenshot with redacted information is plenty for evidence regarding executive management review meetings. And if your auditor is looking for something specific, they’ll guide you.
Business continuity and disaster recovery plans or tests
Business continuity and disaster recovery plans or tests can be managed with sophisticated software. However, it’s still common in businesses of all sizes to maintain these on good old-fashioned printouts. After all, if a disaster occurs and the connection to your network is lost, how will you know what to do? That’s why Word or PDF docs are still routine.
These plans also require annual testing. Multiple departments review them and provide feedback for revisions. Then there’s real-life scenario testing. What was the scenario? When did you execute the plan? What was the outcome and which departments were involved? Organizations maintain all of this manually within their documents, making it easy for auditors to collect the information relative to the SOC 2 audit via screenshot.
Learn more about gaining compliance by downloading this eBook about the ISO 27001 journey. To request a demo for OneTrust’s Certification Automation tool, go here.