What can and can’t be automated for SOC 2

Not all SOC 2 components can be automated, but those that can will save your business time and money.

October 5, 2022

A graphic of a blue and purple gradient background.

Everyone is searching for a simplified SOC 2 experience but there’s some confusion about what can and can’t be automated for SOC 2. It’s not something that can be 100% hands-free. 

Reducing your number of daily decisions is a form of automation. It’s how you streamline processes, limit distractions and save time and manpower. By default, manual implies the opposite—especially with SOC 2. As a result, you can’t help but feel a bit panicky as you prepare for what you assume will be a labor-intensive experience that will suck the joy out of your day-to-day tasks. But not all manual tasks are complex.  

For example, take a smart coffee machines that consistently deliver a decadent caffeine experience. As a home barista, you can choose between a cappuccino or a basic cup of black, set a program to run or even ask Alexa to do it for you. However, you’re still responsible for installing a coffee pod and filling the water reservoir manually for the machine to complete the task. The hands-on, manual expectations are quick, clear and straightforward, though. 

Manual work for SOC 2 is similar. With the right automation, the manual evidence collection tasks are a lot like adding water. You save time and end up with a successful audit to pair with your delicious cup of coffee. Let’s take a look at some examples of what can and can’t be automated for SOC 2. 

What can be automated for SOC 2 

Most organizations face the same SOC 2 challenge—ensuring their team implements the necessary controls and properly document evidence. Automating evidence tasks saves time, money, and stress. 

When searching for SOC 2 software, automated evidence collection and integrations are a high priority.  

What can’t be automated for SOC 2 

If a software provider claims to automate the entire SOC 2 process, they may not be sharing all the details. In fact, it’s just not possible. Instead ask questions specifically about the following manual tasks.  

HR-related tasks like background checks 

Most organizations use a third party for background checks. All the information they’re supplied is pulled into whatever HR system they use. Depending on the position in question, background checks may include: 

  • Criminal records 
  • Employment history 
  • Reference checks 
  • Citizenship status or a work visa  
  • Credit history 
  • Education  
  • Social media profiles 
  • Driving record 
  • Medical records 

Does a SOC 2 auditor require an employee’s traffic ticket from 2012? Of course not. In fact, that’s private information they definitely don’t want in their possession. Auditors want to see evidence that the background check was completed, but not the contents of the check.  

Collecting this information manually just makes sense. That way, data requiring redaction or removal is confidently completed. Will you fail your SOC 2 for sharing Bob’s traffic ticket with an auditor? No, but it does increase back and forth communication with your auditor, potentially delaying completion.  

Executive management review meetings 

Companies typically have executive management meetings or board meetings on a set frequency. These quarterly or semi-annual meetings generally are not run through software. But, they usually have presentations. The decks include company performance, strategy points, and overviews resulting in discussions. Those are documented in meeting minutes. The minutes and the visuals may be stored in the cloud, but an integration won’t pull the evidence a SOC 2 auditor requires.  

There’s information in these presentations and confidential notes similar to the background check. A screenshot with redacted information is plenty for evidence regarding executive management review meetings. And if your auditor is looking for something specific, they’ll guide you. 

Business continuity and disaster recovery plans or tests 

Business continuity and disaster recovery plans or tests can be managed with sophisticated software. However, it’s still common in businesses of all sizes to maintain these on good old-fashioned printouts. After all, if a disaster occurs and the connection to your network is lost, how will you know what to do? That’s why Word or PDF docs are still routine.  

These plans also require annual testing. Multiple departments review them and provide feedback for revisions. Then there’s real-life scenario testing. What was the scenario? When did you execute the plan? What was the outcome and which departments were involved? Organizations maintain all of this manually within their documents, making it easy for auditors to collect the information relative to the SOC 2 audit via screenshot. 

Learn more about gaining compliance by downloading this eBook about the ISO 27001 journey. To request a demo for OneTrust’s Certification Automation tool, go here.      

You may also like


Third-Party Risk

Staying vigilant: 7 practical tips for ongoing third-party risk monitoring

In this webinar, we'll share seven practical tips for effective third-party risk monitoring, helping you to identify new risks and take timely action to protect your business.

August 02, 2023

Learn more


Third-Party Risk

Automating third-party management workflows: 5 ways to drive alignment across teams

Join us as we explore how automating third-party management workflows streamlines processes, drives alignment across teams, and reduces reduntant work.

July 19, 2023

Learn more


Third-Party Risk

Are your third parties a privacy compliance liability? 5 tips to reduce your exposure

Join our webinar and learn how to create an effective, privacy-focused third-party risk management (TPRM) program that streamlines recordkeeping and reduces your risk exposure.

July 05, 2023

Learn more