You are ready for the SOC 2. You have chosen a SOC 2 auditor and you are confident that your controls are working. Now what? Getting audited can be a mysterious and nerve wracking process. It helps to have a general idea of what you can expect. While each auditor has their own nuanced approach and methodology, most of them will follow a similar process.
An auditor’s job is to prove that all of your controls are working as expected, meaning they will test the controls that you have selected. They will test every single control, but will use a method called statistical sampling to limit how much evidence is tested for each control. For example, if you made over 1000 changes to code, they are not going to test all 1000 changes, but will select a random sample. You won’t know which samples they plan to test, so all of your control evidence should be audit-ready.
Sometimes you can predict exactly what they want, for example, the auditor is guaranteed to test any control that is performed annually. For controls that are performed at some other frequency, they will test via sampling. It is rare that an auditor will test 100% of a population (unless it is an annual control and the sample size is one). Therefore you want each and every control to be operating perfectly - you can’t be sure which samples they will select.
A few weeks before the start of your audit, your auditor will send you a document request list (sometimes called a PBC or provided by client list). This list is based on the controls you have identified for them. As you begin to deliver your documents, they may have follow up questions or request additional bits of evidence. It’s normal to have some back-and-forth communication during this phase.
The frequency with which each control is performed will influence which documents the auditor requests, and the sample size they will select. If you have a control that is performed only when an event happens (new-hires are on boarded randomly), then that is ad hoc. The auditor will look at each control and how often it is performed, and then extrapolate a sample.
The sampling math happens behind the scenes and gets distilled into a testing approach that may look like this:
This is an example. Each audit firm will have their own approach, but different auditors will have comparable approaches unless you are in a high risk industry or have a high risk profile (meaning you have a history of botching your controls). Higher risk will result in larger sample sizes.
The auditor will use one or a combination of testing approaches. You can expect to see the following techniques, for example:
Your auditor may also test a few other control characteristics, depending on the nature of the control. They will want to ensure that your controls are:
There are few helpful things you can do when providing evidence that will ingratiate you to your auditor.