Find an auditor

Estimated reading: 2 minutes 1673 views

Find an auditor

Going through an audit can be an overwhelming process. When it comes to SOC 2, an audit is an auditor’s informed opinion on how well your organization’s controls meet the relevant Trust Service Criteria. There are a few things you should consider when selecting an auditor:

  • Accreditation: Ensure that your auditor is a licensed CPA. Only a CPA can sign off on a SOC 2 audit.
  • Find a reputable firm. Any firm with a good reputation is sufficient. If you need guidance in this area, TrustCloud provides recommendations in this list of audit partners.
  • Experience matters. An auditor with more experience is likely to have a better and more thorough understanding of SOC, how to evaluate controls against your organization, and the best practices that apply.
  • It’s important that your auditor understand your business so they can expertly assess if there are any gaps or deficiencies.

What do auditors look for?

The Auditors are guided by the IIA Standard Code of Ethics. It tasks auditors with being independent and objective. Your documentation of evidence is evaluated by an auditor to make sure of its operational effectiveness or that a particular control exists. 

Using a combination of techniques, an auditor obtains an in-depth understanding of your program and how it fits into the SOC 2 framework. These techniques may include:

  • Observation: Observing you perform a task relevant to a specific control
  • Inquiry: Interviewing you or your team to learn about a specific process.
  • Inspection: Requesting evidence of compliance with a control

To satisfy the auditor’s needs, it’s imperative that the documentation be complete and accurate. The source of information in the document has to be identified and verified; the content of the document must be written with integrity; and the documentation has to be easily accessible and retrievable for audit purposes. It is important to get an auditor to come to the same conclusion about the state and health of your information security program as you do. You can help them come to that conclusion.

Once an auditor has reviewed your work and determined that your controls, policies, and procedures meet all requirements, they give you their stamp of approval. You can now shout out (or post on your website) that you are SOC 2 compliant, for now. And you can start planning for next year’s audit.

Join the conversation

You might also be interested in

Defining roles and responsibilities effectively

In today’s dynamic business landscape, clearly defined roles and responsibilities are the cornerstones of...

Corrective Control – Building a resilient security posture

By implementing these three types of controls in a balanced manner, organizations can not...

Who is a third-party vendor, a subprocessor and a third-party supplier?

These three terms are often used interchangeably, but, are so very different. Highlighting the...

Define your SOC 2 audit scope

Define your SOC 2 Audit Scope - The scope sets the boundaries of the...

The role of Board of Directors in SOC 2 compliance: necessity or strategic advantage?

The SOC 2 COSO Principle 2 addresses the roles and expectations of the BoD...

Use TrustCloud to accelerate NIST 800-171 readiness and self-attest

Use TrustCloud to accelerate NIST 800-171 readiness and self-attest as it comes with built-in...

SOC 2 Program Checklist

Checklist for a successful SOC 2 Type 2 Preparation...

Are the terms of service the same as the master service agreement?

Master Service Agreement (MSA) and Terms of Service (ToS) are two distinct legal documents...