We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Auditors are meant to assess the effectiveness of an organization’s security controls against an established set of standards, not set policies and dictate which controls to implement. A certified public accountant who performs a SOC 2 audit will not be an expert in cybersecurity. The American Institute of Certified Public Accountants (AICPA) even states this in their guidance. The auditor should be an expert in assurance practices, and their job should be to ensure that security standards put in place are being met. They are not employed to tell the organization which technologies to deploy and controls to implement.
For businesses with decades of experience dealing with ever-changing regulations, audits and auditors, this is obvious. To their vendors, perhaps not so much. Now, more and more organizations are discovering that achieving SOC 2 compliance and demonstrating effective security protocols is required to do business. For these companies newer to the certification game, audits and audit preparation can be a minefield that complicates technology stacks, disrupts operations and busts budgets.
I have been through this process many times over the years and have developed an understanding of how to avoid the mines. Here are my tips for managing a successful audit of your security controls.
Redefine the auditor relationship
Control design is the responsibility of the organization, not the auditor. Too often this basic truth conflicts with the auditor’s desired practice. Audit prep routinely includes auditors dictating which controls the organization should adopt: draft these policies, configure this list of cloud provider monitoring settings, and enable automated gates at those control points. This checklist approach is costly, can seem endless, and works against actual security.