SafeBase recently completed our SOC 2 compliance audit for the 12-month period ending on May 31, 2023. We are proud to say that no exceptions were found! In the spirit of transparency, we wanted to share our experience. This post is a deep dive into our auditing process, the strategies that proved effective, and some key lessons that we took away.
The Importance of Advance Notice
The first lesson we learned was the importance of providing advance notice to other departments. We realized that key individuals might be unavailable during the evidence-gathering period, leading to potential delays and additional costs. Hence, giving advance notice and scheduling evidence collection beforehand proved beneficial. For larger organizations, this is even more critical, as documents such as background checks can take days, or sometimes even weeks, to obtain.
Preserving the Principle of Least Privilege
During the compliance evidence uploads, we maintained the principle of least privilege. We ensured that our security team only accessed the essential evidence and maintained the sensitivity of private documents, even during sampling. For example, our security team never looked at the results of background checks, and simply passed this evidence along from what our People team gave us.
Evolving Audits and the Need for a Robust System
We noticed both internally, and from the word of customers, that audits appear to be much more detailed than in previous years. Simply having software that “automates” compliance may not be enough, as the auditor will likely ask for evidence that is not collected by that platform, or not see the information, held within the automated system, as sufficient. What was asked for in previous years may not be the same as what your current audit will require.
In particular, some of these tools may not be able to provide sampling in the way that an auditor desires. In our case, we needed to show evidence of specific GitHub pull requests with an author and reviewer for a randomly selected set from our overall list. In addition, the auditor also wanted to see the actual results of our background checks, and not just confirm via our vendor that they were completed. Some automation solutions may check for configuration settings, but most are not able to produce the exact samples that provide the level of details that auditors want to see.
As a best practice, go above and beyond with your controls not only to benefit your internal security program, but to also be ready in the event that your auditor asks for more details than you have seen in the past. Assume that you will encounter the absolute strictest of audits and you will be ensuring that your company is ready for anything!
The Value of Pre-Audit Assessment
For those embarking on a SOC 2 audit for the first time, we recommend engaging an audit firm to conduct a pre-audit assessment. This provides valuable insight into what the actual audit will entail, and gives your organization an opportunity to make improvements ahead of time to ensure that the actual audit goes smoothly. In addition, the benefit to this is that if your pre-audit assessment goes well, you can even choose to go directly to a SOC 2 Type 2 audit covering 12 months rather than a point-in-time Type 1.
Communication and Education Across Departments
An important lesson was the need to educate other departments about the necessity of audits. Security has evolved from being a potential sales hurdle to a sales enabler, thus it's crucial to equip your sales team to present your SOC 2 report as a key piece of evidence for speeding along the sales cycle. As we have seen across our hundreds of customers with Trust Centers, the SOC 2 report is one of the most downloaded documents during the security review process. Many organizations will simply refuse to conduct business unless they see evidence of a SOC 2 or ISO 27001 audit as a bare minimum.
Showcase Best Practices
If your organization employs unique control measures, such as hardware Yubikeys or biometrics for MFA, don't shy away from mentioning these to your auditor. This helps create a more complete picture of your security protocols when the report is reviewed. One note about SOC 2 reports is that controls can vary from organization to organization, and your auditor may not always ask questions that give you a chance to highlight controls that you are particularly proud of. Instead, volunteer this information so that readers of your SOC 2 report will be informed of your team’s extra efforts to keep your data secure.
The Auditing Process is a Conversation
The SOC 2 audit process is not just a one-way street; it's a conversation. Your auditors will ask many questions, but you are also encouraged to ask questions to clarify any uncertainties. In addition, you should be viewing them as partners in your security journey that are holding you accountable for ensuring that your security program is indeed following best practices. In fact, some auditors prefer the term “assessor” and share the philosophy that their goal is to help, rather than hinder, the success of their clients.
The Importance of the Auditing Firm
In recent years, the reputation of the firm conducting the audit has become increasingly important in the eyes of security practitioners. As even smaller organizations, such as those with as few as 5 employees, are now required to undergo SOC 2 audits, customers value not just the completed audit, but also who conducted it. While there are many great firms that offer quality reports at reasonable prices, there are others who have taken advantage of the explosion in demand and conduct lower quality audits as a means to quickly acquire customers. GRC teams are quickly becoming aware of this behavior, and are in turn raising their expectations.
For smaller organizations, committing to a SOC 2 audit may seem daunting, but it's an investment that pays dividends over the long run. Think of this report as a key part of your sales enablement strategy! By following best practices and obtaining a quality report from a trusted firm, you give your customers yet another reason to do business with you.
If your team is searching for a quality, but affordable, auditor, don’t hesitate to reach out to us for some recommendations!
SOC 2 Audits as a Learning Opportunity
SOC 2 audits provide an objective perspective on your organization's security posture. If auditors identify areas for improvement, view this as an opportunity to enhance your security. Similar to a report card in grade school, you might not get all A’s, but those B’s can show you where to focus your efforts.
Also, should formal exceptions be identified, you are given the opportunity to explain any compensating controls and/or similar at the end of the SOC 2 report. Security professionals will look for this section while reviewing your SOC 2. Most reviewers understand that humans make mistakes. The key here is to demonstrate that the mistakes were minor in nature, and not an indication of a larger problem.
Preparing a Bridge Letter Template
Lastly, prepare a bridge letter template ahead of time if this is not the first time you are undergoing an audit. Here is an example of a template you can use. Just as having a SafeBase Trust Center proactively presents your company’s security posture, enabling and accelerating crucial security reviews, having a bridge letter template ready to go will allow your team to quickly respond to requests from customers who are waiting for your new SOC 2 report to be finalized. Our 2023 report happened to be delayed slightly due to some team members going on PTO, but we were able to give bridge letters to several prospects during this period.
We hope that this post was helpful for anyone considering or undertaking a SOC 2 audit. You can check out our new SOC2 Type 2 Report in our Trust Center. As we look forward to the future, we will continue to build on these learnings, strengthening our commitment to security and excellence.