The Fine Art of Scoping a SOC 2 Audit

Once upon a time, performing a SOC 2 audit was a rite of passage for service companies: “Wow, we’re so successful now that big clients want us to do important things, and we need a SOC 2 audit to prove our street cred!”

Times have changed. In today’s cybersecurity world, the SOC (Systems and Organizations Controls) 2 audit plan is more like a fact of life: “Yikes, if we can’t pass a SOC 2 audit to document our security controls, nobody will give us the time of day.”

That’s no easy task for a small firm, and setting the scope of your SOC 2 audit correctly is crucial. Define the scope too narrowly, and you might not give the assurance your customers will want – prompting more SOC 2 audits in the future. On the other hand, define it too broadly, and you waste money auditing more processes than necessary (while disrupting daily operations, too).

Hence the need to understand SOC 2 audits, and how to scope them wisely.

What Is Audit Scoping?

Audit scoping is the process of determining the nature, type, and timeliness of procedures that will be carried out during an audit. Typically, you perform a risk assessment to determine the audit’s scope. The greater the risk of errors or weaknesses in the processes you’re auditing, the more extensive your audit procedures should be.

For example, an audit would usually follow these steps:

• Learning about the operations of audit clients (scoping)
• Evaluation of the possibility of errors, fraud, or noncompliance (scoping)
• Creating auditing processes (scoping)
• Acquiring adequate and relevant audit evidence (execution)
• Forming a judgment about the effectiveness of internal controls (execution)
• Presenting audit results (reporting)

Why Is Audit Scoping Important?

Audits are conducted for various reasons, such as routine “check-ups” of corporate records, looking for fraud inside a firm, or – especially relevant for SOC 2 compliance – assessing the company’s compliance with certain regulatory requirements. So an audit’s scope can vary widely, depending on who is doing the audit and why.

What Should SOC 2 Audit Scoping Include?

The first three audit steps in the above list are what audit scoping is about. These phases involve risk assessment and business comprehension.

You may use different methods to understand the business. For example, you could interview key employees, review company policies, study flow charts of how business processes work, or ask employees to walk through a business process while you observe.

A SOC 2 audit specifically assesses how well a company’s cybersecurity controls measure against five “Trust Service Principles” (TSPs) developed by the American Institute of Certified Public Accountants. Those principles are:

• Security. The system is protected against unauthorized access, use, or modification.
• Availability. The system is available for operation and used to meet the firm’s commitments and system requirements.
• Processing integrity. System processing is complete, valid, accurate, timely, and authorized.
• Confidentiality. Information designated as confidential is protected per the firm’s commitments and system requirements.
• Privacy. Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s commitments and system requirements.

Not every SOC 2 audit must consider all five principles. After all, these audits only go to specific clients (or prospective clients) your firm has, presumably with specific needs they want your firm to address. So deciding which TSPs satisfy your client’s concerns about security is the key to determining the scope of your SOC 2 audit. Include only those TSPs that are necessary and no more.

For example, if you provide user entities data storage in a data center, and clients do all processing on their systems, then you need to include the Security and Availability principles in your SOC 2 audit, not Processing Integrity. The Privacy principle is in scope if you store personal data about individuals. If you only hold product design plans, the Confidentiality principle is in scope, but the Privacy principle may not be.

Why Principles Matter

Identifying the relevant TSPs is vital because your next step is determining which systems, policies, and procedures support those principles and organizing your internal controls to match these needs. Those things will be what your SOC 2 audit examines. SOC 2 audits covering multiple TSPs can sweep lots of your firm’s systems and controls into scope.

One starter question is: “If we can’t guarantee this principle, does that harm our relationship with the customer?” If the answer is yes, then the principle is probably in scope.

Another important task at this juncture is to work with senior executives to define the firm’s products, services, and strategy as clearly as possible. For example, who are the target customers? What do they need? What benefit does your firm provide? What else will you provide in the future? The answers will define the TSPs your firm needs to provide to customers. That, in turn, will drive the scope of your SOC 2 audit.

Compliance and audit executives don’t need to answer those questions yourselves. You do, however, need to put the questions to senior management and insist: “We need to answer these.”

Scoping questions become more granular and company-specific from there. For example, you may want to start with a Type I audit before a more intrusive Type II audit. You might begin with “easier” principles, such as Availability, before more complex ones, such as Processing Integrity. SOC 2 advisory firms (and there are plenty of them) are more than happy to perform readiness assessments before an actual audit gets underway.

The crucial questions are: (1) are we clear on what our firm offers? and (2) what do our systems have to provide security and integrity to uphold our end of that relationship?

These days, if you want to do any business at all, you’d better have good answers.

Prepare for your SOC 2 with ZenComply

Need assistance getting ready for your SOC 2 audit? ZenComply can be helpful for reciprocity.

ZenComply is a compliance and audit management tool that offers a quicker, more straightforward route to compliance by doing away with tiresome manual procedures, hastening to onboard, and keeping you informed about the development and efficacy of your programs.

Having seamless integrations with Reciprocity ZenRisk and the Reciprocity ROAR platform gives you a unified, real-time view of risk and compliance, giving you the contextual insight required to make wise, strategic decisions that keep your company secure and win the trust of your clients, partners, and employees.

To find out more, schedule a demo today!