When first going down their SOC 2 path, many companies will call up firms to do the SOC 2 and have a “scoping call”. In this call, the firm’s sales representative or SOC 2 specialist will have a discussion and ask questions that help them determine the scope of the SOC 2 engagement. But what is involved in that scoping? How can you better understand what they are looking for so that you can make those conversations easier for all parties? This infographic will help to explain the key elements of scoping that auditors are looking for when talking about your SOC 2.
As you can see, one of the main scoping items is the commitments you make to customers and therefore what Trust Service Categories are in scope. From there, you can determine the number of controls you have in place that meet the criteria related to those categories.
In addition, your auditor is going to want to know if you have other frameworks that you are reporting against and if they should be included in some form in your SOC 2 report. The first way is to map your controls in SOC 2 to the other framework in what’s called an “unaudited” Section 5 of the report. While this will require additional effort because your auditor still has to review the mapping, it is a cheaper option as it is unaudited. The other option is to do a SOC 2 + report. A SOC 2 + report is more expensive because, in this report, you are testing your controls against both the SOC 2 Trust Services Criteria, as well as the criteria of the other framework.
For example, if you had SOC 2 + HIPAA, you would have to show all the controls you have that meet SOC 2, where those controls meet applicable HIPAA criteria and any additional controls above SOC 2 that are required for HIPAA. And that’s just the reporting. Any additional testing above and beyond SOC 2 (that HIPAA requires) must be performed as well by your auditors, resulting in additional fees.
Finally, the other major component of scoping a SOC 2 is the technical aspects. In a cloud environment, the auditor is going to want to know your number of:
- Privileged users
- (Virtual) servers
- Network connections
- Cloud Service Provider Accounts with customer data
- Cloud Providers used or co-location data centers
- Total number of full-time employees
These are the key elements to think about when scoping your SOC 2. As things can get complicated (and many times there is the “it depends” answer), be sure to discuss all the details with your auditor before agreeing to an engagement fee.
At Bytechek, we look to simplify your SOC 2 process, reduce the LOE on both your and our end, and ultimately pass those savings on to you. With our automated SOC 2 control testing platform, many of the scoping items that lead to additional efforts at other firms can be reduced in our methodology. Talk to us today to learn more about how we make compliance suck less!