Compliance 102: Preparing for the SOC 2 Audit

  • 3 January 2023
  • 0 replies
Compliance 102: Preparing for the SOC 2 Audit
Userlevel 4
Badge +5

Compliance and governance concepts can be challenging to those who are new to the space, and understanding how different frameworks apply to your business is a unique experience. Our ongoing compliance series is back for season two, and this time we are focusing on what you need to do leading up to a SOC 2 audit.

We’ve recruited the expertise of one of our compliance experts, Troy Fine, to walk you through the most critical areas of the SOC 2 process, breaking down concepts directly out of AICPA’s official guide. Have questions? Start a conversation in our SOC 2 area of the community.


Haven’t checked out Compliance 101, our first season? You can review all the content here.


Episode 1: Understanding SOC 2 Type 1 Vs Type 2

  • What are the differences between SOC 2 Type 1 and Type 2?

  • How do the requirements differ between them?

  • Do you have to undergo a SOC 2 Type 1 audit prior to a SOC 2 Type 2 audit? 

    • If not, why would somebody do a SOC 2 Type 1 audit?

  • How do you determine the period of examination coverage?


Episode 2: Risk Management as it Applies to SOC 2

  • What role does risk management and risk assessments play for the SOC 2 process?

    • Is there a standard way to handle identified risks in this process?

  • What risk management methodology do auditors typically look for?

  • What evidence is typically required and what controls should be monitored?


Episode 3: Understanding SOC 2 Supply Chain/Vendor Management

  • What are the key areas to consider when reviewing your vendors' SOC 2 reports?

  • How should we collect related reports and evidence from our vendors?

  • What are the differences between inclusive or carve-out method?

  • How should I handle the vendors/sub-services I work with in regards to risk management?


Episode 4: Understanding SOC 2 Controls

  • What role do passwords play and are there any specific requirements?

    • MFA/2FA

  • Are there security awareness training requirements?

  • What role does user onboarding/offboarding play in monitoring controls?

  • What role do access controls play?

  • What role does incident response play?

  • At a high level, what role do Availability, Confidentiality, Privacy, and Processing Integrity Controls play?


Episode 5: SOC 2 Auditor Responsibilities

  • What are auditors responsible for during an audit?

  • How do teams typically communicate with the auditor?

  • What should I know about agreeing to terms of the engagement?


Episode 6: Preparing for a SOC 2 Audit

  • What does working with an auditor typically look like?

  • Does it make sense to work with an internal auditor first or other resource?

  • What do I need to consider with regards to sub-service organizations and planning for my audit?

  • Should I also get a SOC 3 report?

0 replies

Be the first to reply!