Resources
Everything you need to know
Company
Security and customers first
Close

Request a demo

Find out today the difference that Hicomply’s unique solution can make to your business.

Close

Thank you for your request

Success

In the meantime, connect with Hicomply for insights on authentication and fraud prevention

Close

ROI Calculator

See how much you could save with Hicomply

Hicomply feature Yearly saving
Automated scoping Easily scope your ISMS with the Hicomply platform
Asset register autogeneration A shorter learning curve for organisations and a simplified process
Risk assessment Autogenerate your risk register and risk treatment plan
Extended policy templates 90% of the essential are already written out of the box
Controls framework All controls are pre-loaded and already linked to the risks they mitigate
Task management Automate all actions, administration and setup time of your ISMS
Real time monitoring Understand status and progress across your ISMS with the Hicomply dashboard
Compliance & Training Your whole team, on the same page
Audit readiness Hicomply makes sure you have everything in place for your audit
Auditor access Give auditors a dedicated login to access and audit your ISM
Back to Resource Hub

The SOC 2 Audit Process

So, you’ve decided to work towards SOC 2 compliance for your organisation. Your management team is on board and you’re designing your controls.

When your organisation is ready, the final step before receiving an unmodified opinion (aka a ‘pass’) is your SOC 2 audit. The subsequent report from your auditor shows your current and future clients that you’re SOC 2 compliant and take information security seriously.

But what’s involved in the audit? We’ll walk you through the SOC 2 audit process.

Firstly, What Is A SOC 2 Audit?

SOC 2 is an information security framework designed to demonstrate that your organisation adheres to security best practices when safeguarding client information. The SOC 2 audit involves an external auditor, a Certified Public Accountant (CPA), evaluating the effectiveness of your business or organisation’s controls for managing and protecting its services and data.

The audit assesses five sets of organisational controls:

  • Security;
  • Availability;
  • Processing integrity;
  • Confidentiality;
  • Privacy.

These controls are based on the American Institute of Certified Public Accountants (AICPA) 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Not all controls are applicable to every business, so each SOC 2 audit is dependent on an organisation’s processes and offering. Security is the only mandatory criteria.

The result of the audit is released as part of a SOC 2 report.

What Is The SOC 2 Audit Process

The SOC 2 audit process can be broken down into five stages:

  • Audit scope review – this is where the auditor will review the scope before they begin the audit, to ensure the scope that your organisation has defined is clear and accurate.
  • Project timeline – in line with the scope of the audit, the auditor will then define a project timeline and share a project plan with you.
  • Security control testing – the auditor will test the security controls for design and operating effectiveness.
  • Recording results – during this part of the process, the auditor will document the results they have seen.
  • Final report – your organisation will receive the client report, which will include an evaluation of the controls and a final opinion on the organisation’s information security in line with the Trust Services Criteria principles your management team has chosen to address.

You can view an example SOC 2 audit report from the AICPA.

How Long Does A SOC 2 Audit Take?

As SOC 2 audits are tailored to the individual organisation, the amount of time it takes to complete a SOC 2 audit varies considerably. The audit scope and the amount of controls the auditor needs to review both impact the timeframe for an audit process, but you can expect your audit to take between two months to five months.

Of course, this timeframe doesn’t include the time it takes the organisation to prepare for the audit, which could take anywhere from six to twelve months.

Achieving SOC 2 With Hicomply

One of the most time-intensive processes in preparing for SOC 2 is building out your security policies and procedures in line with SOC 2 and Trust Services Criteria requirements.

This is a quick and easy task on the Hicomply platform, where you can automatically populate your policies and procedures from our templates, automatically generate risk assessments, automatically update documentation and, you guessed it, automatically send reminders to staff when tasks need to be completed.

Hi, automation. Goodbye, painstaking hours of policy-writing, manual risk assessments and chasing your team to do the tasks you’ve assigned to them.

With the Hicomply platform and the additional support of our customer success team should you need it, you can achieve SOC 2 compliance in half the time, and then upload your final report to the Hicomply platform.

Ready to say hi to automation, convenience and new customers, and wave goodbye to wasted hours and hundreds of unnecessary emails? Get in touch with team Hicomply.

More Resource Hub

ISO27001
SOC 2 Policies and Procedures
ISO27001
What Is The NHS Data Security and Protection…
ISO27001
Whitepaper | How To Choose The Best Information…