Your Pre-Audit Checklist for SOC 2 Compliance

If you want to assess SOC 2 compliance for your business, it helps to do a pre-audit. This checklist will help you organize the tasks and details required to assess and address any issues before your first SOC 2 compliance audit.

But first, let’s cover a few of the basics.

What does SOC 2 compliance mean?

SOC 2 (pronounced "sock") compliance is an industry-standard focusing on a company's information security and privacy practices. The goal is to protect your users' private information and ensure that it is managed securely.

Why is SOC 2 compliance important?

Security is a top concern for all organizations, especially SaaS and cloud-computing providers. When privacy data is mishandled, it leaves the organization's and its customer's data at risk of theft, extortion, malware installation, and other cyber attacks.

Are you ready for your SOC 2 audit?

To achieve SOC 2 compliance, companies must adhere to specific procedures and policies set by the American Institute of Certified Public Accountants (AICPA). 

Before an experienced SOC 2 CPA completes your audit, you can ensure you’re meeting expectations by performing a self-audit. How? 

We’ve created a quick and easy checklist for you to prepare for your SOC 2 audit:

Please note, that while there are five categories within the Trust Services Categories listed below, only the ‘Security’ category is required for a SOC 2. However, when trusted with private data and security, the rest of the Trust Service Categories are recommended but not required.

  •  Do your controls meet the relevant Trust Services Categories?

Privacy 

Do you manage private data with any of the following? 

  • Access control

  • Two-factor authentication 

  • Encryption

Security

Do you manage customer and/or employee data with any of the following?

  • Logical and Physical Access control

  • Network firewalls

  • Intrusion detection

  • Two-factor authentication

Availability

Do you have availability controls and processes in place, such as:

  • Handling of security incidents

  • Disaster recovery

  • Performance monitoring

  • System and Data Backups

Processing Integrity

Can you provide proof of:

  • Data integrity; ensuring accuracy and completeness of data

  • Processing monitoring; error detection and correction, job reporting, and audit trails

Confidentiality

Can you provide proof of:

  • Data encryption

  • Access controls

  • Data Retention and Destruction Procedures

My organization completed a SOC 2 compliance self-audit. Now what?

After going through the above checklist, make sure that you are:

  • Remediating any areas where your organization is not meeting the AICPA’s defined SOC 2 criteria, based on your chosen criteria within the Trust Services Categories.Meet and communicate with stakeholders and employees the results of the self-audit, and remediation plans to create a culture of security and compliance throughout the organization.

SOC 2 Compliance Audit Readiness

You’re dealing with private data and information, so suffice it to say, yes, a self-audit is a great way to ensure your organization takes its responsibilities for security seriously.

After a SOC 2 compliance self-audit and remediation, your organization is ready for its SOC 2 compliance audit from an experienced and specialized CPA like Johanson Group.


ABOUT JOHANSON GROUP:

Johanson Group, based in Colorado Springs, CO, provides audits and professional services to public and private companies in a variety of industries world wide.

We serve:

  • SaaS Start-ups

  • SaaS Healthcare Organizations

  • Established SaaS Companies

  • Government SaaS Organizations

We provide:

  • SOC 2 assessments

  • HIPPA assessments

  • ISO/IEC 27001 reports

Previous
Previous

The Benefits of SOC 2 Compliance

Next
Next

What is a SOC 2 Attestation?