SOC 2 Report Criteria and FAQs

by Joseph Kirkpatrick / March 6th, 2018

SOC 2 FAQs

When a client pursues a SOC 2 audit for the first-time, they normally ask: What are the requirements of a SOC 2 audit? How are we going to be judged? What can I do to prepare? Which Trust Services Criteria should I select? KirkpatrickPrice strives to be your audit partner and will work with your organization to answer each of these SOC 2 FAQs.

Preparing for a SOC 2 Audit

One of the most common SOC 2 FAQs is: How should I be preparing for a SOC 2 audit? One of the best things to do when preparing for a SOC 2 audit is review the purpose of the final component of a SOC 2 audit report, which describes the controls in place to meet the Trust Services Criteria and describes the auditor’s test of controls to determine the effectiveness of the controls. Each category of the Trust Services Criteria has standards that you must meet to demonstrate your compliance. When preparing for a SOC 2 audit, your organization should go through these standards and review how you meet each one.

For example, the security principle requires that the entity, your organization, “has established workforce conduct standards, implemented workforce candidate background screenings procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to the applicable Trust Services Principles.” How would you organization review how you meet this standard?

The first element of this criteria is workforce conduct standards. An assessor would ask your organization questions like:

• What are your workforce conduct standards? For many organizations, this will be a part of your employee handbook.
• Do you have employees acknowledge the employee handbook?
• Do you offer training to teach what your workforce conduct standards are?

The security principle criteria also specifies background screening procedures. To verify compliance with this criteria, an assessor would ask your organization questions like:

• Do you have written policies and procedures? This may also be a part of your employee handbook.
• Can we see evidence that background screening reports have been ordered? We want to ensure that when an organization says they’re doing background screening, they’re actually doing background screening.

The last element in this example is conducting enforcement procedures.

• How do you enforce employee handbook standards that govern workplace conduct?
• How do you enforce the policies and procedures relevant to background screening?
• Do you communicate the consequences of violating these standards to your employees?

How would your organization prepare for a SOC 2 audit? Preparing for a SOC 2 audit requires many exercises in risk management, internal control review, and comparison with the Trust Services Criteria. To discover answers to more of your SOC 2 FAQs, contact us today.

Some of the SOC 2 FAQs that we receive from clients who contact us about a SOC 2 report are: what are the requirements? What do I need to do to prepare? How are we going to be judged against the standard?

The way that a SOC 2 audit report works is we will be looking at criteria. As part of the Trust Services Principles (recently updated to the 2017 Trust Services Criteria), each principle has criteria that you must meet to demonstrate that you have placed this criteria into operation in order to meet the purpose of the principle that’s being audited.

Let me give you an example of a criteria so this idea can start to take shape and you can picture what an audit might look like when working with us during a SOC 2 engagement. In the security principle, which is also referred to as the Common Criteria for SOC 2 audit reports, there’s criteria that states, “The entity has established workforce conduct standards, implemented workforce candidate background screenings procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to the applicable Trust Services Principles.” When we look at that criteria, we’re going to be asking you: What are your workforce conduct standards? For a lot of people, that will be contained within an employee handbook that governs the conduct standards that you have for your employees while they’re under your employment. Do you have them acknowledge the handbook? Do you do training in order for them to understand what the standards are? Those are the types of things that we would look at in order to determine whether or not the criteria are in place.

This piece of criteria also specifies background screening procedures. So, we would expect to see a procedure on that written out, usually part of an employee handbook. We would also want to see evidence that the background screening reports have been ordered and you’re actually doing that for any employee hired. We have encountered situations where an organization says that they’re doing background checks in accordance with the criteria, but then we see that they haven’t done the background checks. We need to see that the criteria has been met.

The last piece in this example I’ve given you is that you conduct enforcement procedures in order to enable your organization to meet its commitments. In other words, if you have an employee handbook that governs workplace conduct, if you have a policy that you must perform background checks when people are hired, how do you enforce that? How do you make sure that people are actually following the rules? We would ask you how you monitor that, if you address standards in performance reviews, and do you communicate to your employees that violation of those standards or background check requirements would result in some type of discipline up to termination.

This is an example of criteria and how you’d be able to demonstrate that you meet the criteria. That’s the type of thing to prepare for in your SOC 2 audit report.