Blog Post

What's required after my first SOC 2® report?

Mike DeKock, CPA, CEO

July 19, 2023
The Compass:
Helping you navigate the myths, intricacies, and questions around SOC 2 compliance.

Q: What is required after my first SOC 2® report?

A: MJD Answer

You’ve completed your SOC 2 report. That first-time report can be a lot of work, and it’s worth celebrating while you hang the new AICPA logo on the website. So what’s next? 

If you have done it right, it’s pretty simple because your controls have been baked into the way you do business so you just need to follow the new expectations you have set for your organization. It doesn’t have to be hard or complex, but it’s new and a lot to keep organized, so here are some things to consider to help you along the way. 

  1. Plan your next audit now. Figure out the timing, set expectations with the auditor, and calendarize the annual compliance schedule while any challenges are fresh in your mind. 
  2. Maintain a continuous, annual reporting cycle that covers 12 months. Your customers will want to see ongoing compliance, and continuing to hold your team accountable will avoid dust collecting on the program and having to start over again. 
  3. Be strategic with how you document controls. Don’t “document everything” - document the right things. So much time with SOC 2 gets wasted on throwing documents against the wall, hoping one of them gets the auditor to go away, but it doesn’t have to be that way. Go through your report and identify what is needed and when it’s needed, and craft some clean, clear, easy-to-follow audit evidence to support your great work. It’s ok to make it easy for the auditor. 
  4. Keep the program active. I don’t love the auditor/dentist comparison, but brushing your teeth 5x the day before the appointment doesn’t make up for a year's worth of neglect (or so I have been told). Hold standing meetings, maintain communication with your auditor, and find ways to challenge and strengthen your controls. Continuous, iterative, and agile beats a reactive, waterfall approach every time.   
  5. Keep SOC 2 top of mind, and don’t let it become the scapegoat for bad systems. Telling your team, “sorry, this procedure is required for SOC 2” is not going to inspire the level of engagement you would get from “we’re doing this to maintain our customers' trust.” 

And ultimately… If you have the right systems and organizational buy-in, SOC 2 is really no more than a project management exercise. It may not be “easy” for everyone, but there’s absolutely no reason it should be hard. 

A: ChatGPT Answer

After the first SOC 2 report, there are several actions that may be required, depending on the outcome of the audit and the specific needs of the organization:

  1. Address any identified gaps or deficiencies: If the SOC 2 audit identified any gaps or deficiencies in the organization's controls, these must be addressed promptly. The organization should develop a plan to remediate any issues and ensure that the necessary changes are implemented.
  2. Conduct regular monitoring and testing: To maintain compliance with SOC 2, the organization should conduct regular monitoring and testing of its controls to ensure they are working effectively. This includes ongoing risk assessments and periodic testing of controls.
  3. Maintain documentation: The organization should maintain documentation to demonstrate its compliance with SOC 2 requirements. This includes policies, procedures, and evidence of controls.
  4. Engage in regular SOC 2 audits: To maintain SOC 2 compliance, the organization should engage in regular audits. This may include an annual SOC 2 Type 2 audit or periodic SOC 2 Type 1 audits.

More posts

Blog Post
7 min read
How do I know what categories to choose for my SOC 2® report?

In general, all SOC 2 reports must cover the trust services criteria relevant to security, so that is a good place to start.

READ MORE
Article
Understanding the Nuances: Privacy and Confidentiality

Within the SOC 2 framework, two crucial categories—privacy and confidentiality—play distinct roles in safeguarding sensitive data. Our latest article outlines each category and the differences between the two.

READ MORE
Blog Post
EdUp AI podcast

Mike DeKock talks to Jason Gulya on the EdUp AI podcast focused on building a blueprint for how colleges can leverage artificial intelligence.

READ MORE