How to Pass Your SOC 2

Audit Faster

Copyright © Tugboat Logic 2021. All rights reserved.

“ The auditor is a watchdog, not a
bloodhound.

Lord Justice Topes

Contents

Introduction 1

Understanding SOC 2 and Why You Need It Now 2

SOC 2: The Quick and Dirty 3

Busting the Biggest Myths About SOC 2 5

Tips and Tricks for Acing Your Audit 9

Mistakes to Avoid 12

Choosing the Right Auditor 14

Conclusion 17
 Introduction

Nobody looks forward to getting their next security audit. Unfortunately, 💡 Did You Know?
you don’t always have a choice in the matter.

Maybe you need a specific attestation or certification to close your next

big deal. Maybe you’ve decided it’s high time your business improved its
security posture. Either way, by reading this guide, you’re taking the first 60%
step to completing a security audit and for that, our hats go off to you.

The purpose of this guide is to help you and your team get through your
SOC 2 audit as quickly and painlessly as possible. Though much of the
advice is specific to SOC 2, it can be applied to other contexts as well.

Everything you read here comes from Tugboat Logic’s VP of Customer

Success, Sydney Archer, and her experience helping over 500 companies
pass their security audits. The lessons are practical, actionable and they’ve
been learned in the only way that matters—by actually helping companies
like yours.

Let’s get started.

How to Pass Your SOC 2 Audit Faster | 1

Understanding SOC 2 and
Why You Need It Now

How to Pass Your SOC 2 Audit Faster | 2

 SOC 2: The Quick and Dirty

What is SOC 2?

Systems and Organization Controls 2 (SOC 2) is an audit process that

evaluates your company's ability to securely manage the data you collect
and use during business operations.

Who administers SOC 2?

SOC 2 is developed and administered by the American Institute of

Certified Public Accountants (AICPA). Certified Public Accountants (CPAs)
have the credentials needed to conduct audits and attest to the results.

What's the difference between SOC 2 Type 1 and Type 2?

Type 1 looks at controls governing data security and privacy at the time of
the audit. This type of report is less resource intensive and sets a baseline
for future audits. As a result, it's often the first type of report an
organization produces. However, keep in mind that most customers will
ultimately want to see that your company is making an ongoing
commitment to security and privacy through SOC 2 Type 2.

Type 2 looks at the same set of controls as Type 1 but reports on how
effectively you maintain them over a period of 6 - 12 months through your
policies, processes and technologies.

How to Pass Your SOC 2 Audit Faster | 3

SOC 2: The Quick and Dirty
Continued

What Does the SOC 2 Audit Cover? 💡 Did You Know?

Whether you choose to undergo a SOC 2 Type 1 or Type 2 audit, your
organization will report and be evaluated on the information and systems
you use to support the five Trust Services Criteria1:
security
Security: Information and systems are protected against unauthorized
access, unauthorized disclosure of information and damage to systems
that could compromise the availability, integrity, confidentiality and privacy
of information or systems and affect the entity’s ability to meet its
objectives.

Availability: Information and systems are available for operation and use
to meet the entity’s objectives.

Processing integrity: System processing is complete, valid, accurate,

timely and authorized to meet the entity’s objectives.

Confidentiality: Information designated as confidential is protected to

meet the entity’s objectives.

Privacy: Personal information is collected, used, retained, disclosed and

disposed of to meet the entity’s objectives.

1
AICPA. Information for service organization management. AICPA. Accessed February 4,
2021.

The Ultimate Survival Guide to SOC 2 | 4

Busting the Biggest Myths
About SOC 2

How to Pass Your SOC 2 Audit Faster | 5

 Busting the Biggest Myths About
SOC 2

Myth #1: Auditors want to see you fail.

Reality: Sometimes it feels like an auditor is out to get you, but trust
us—they aren’t. Having spoken to hundreds of auditors, we can confirm
that they really do have your best interests in mind.

After all, when your business is more secure, it benefits everyone.

Myth #2: SOC 2 is a list of hard and fast rules.

Reality: People think there’s a checklist of defined controls, policies and

requests that need to be implemented to pass a SOC 2 audit.

Wrong.

SOC 2 criteria are based on a set of objectives and every auditor maps
controls to objectives differently, since no two auditors’ control lists are the
same. Theoretically, one control, like implementing a firewall, could meet
multiple objectives.

This is all to say that everybody’s auditing journey is different.

How to Pass Your SOC 2 Audit Faster | 6

Busting the Biggest Myths About
SOC 2 Continued

Myth #3: SOC 2 only covers your technology stack and

applications.

Reality: SOC 2 audits are comprehensive, which means they cover all
potential security risks inside your organization, down to limiting who has
access to your physical office space.

Myth #4: It only takes 14 days to prepare for SOC 2.

Reality: We wish.

SOC 2 isn’t just about implementing controls. Actually, that’s the easy part.

It’s also about documenting how you’re implementing the right controls.
Like your high school math teacher, auditors want you to show your work.

And that takes time.

Thankfully, there are plenty of free templates online that can get you
sorted. We can also help. It so happens that our platform can simplify the
process of documenting your policies, procedures and controls 😉

How to Pass Your SOC 2 Audit Faster | 7

Busting the Biggest Myths About
SOC 2 Continued

Myth #5: Vendor certifications and attestations will protect

your organization.

Reality: Sadly, this just isn’t true.

Let’s look at Amazon Web Services (AWS) as an example. They have one
of the most robust SOC 2 reports known to humankind, demonstrating
they’ve done everything they can to protect themselves and their
customers. Unfortunately, their security assurance doesn’t extend to you
and your customers

There’s no such thing as security by osmosis.

How to Pass Your SOC 2 Audit Faster | 8

Tips and Tricks for Acing
Your Audit

How to Pass Your SOC 2 Audit Faster | 9

 Tips and Tricks for Acing Your
Audit

Tip #1: Commit to a Date and Tell Your Customers 💡 Did You Know?
If you promise customers you’re going to get your SOC 2 by a specific date,
you’ll get it done.

This is especially true if a contract is at stake, and you need SOC 2 to make
it happen. Be sure your executive team understands the gravity of the
situation, and you’re likely to get their buy-in (as well as your whole team’s).

Tip #2: Set Deadlines

It takes at least a couple months to get your SOC 2, and it’s easy to lose
steam if you haven’t built out a workback plan to hold yourself and other
key stakeholders accountable.

Tip #3: Assign a Project Manager

There are plenty of controls you need to implement and prove to your
auditor to pass any security audit—from technology, like firewalls and
identity access management (IAM), to business continuity, like the
robustness of your line of business. That’s why control implementation
should be delegated to multiple stakeholders by one person.

How to Pass Your SOC 2 Audit Faster | 10

Tips and Tricks for Acing Your
Audit Continued

This is where a project manager comes in handy. 💡 Did You Know?

A project manager will keep stakeholders accountable and your project on
schedule. And when it comes to setting up recurring evidence collection
tasks, which occur periodically and each time you renew a certification or
attestation, you’ll have one person handling everything. improve sales
win rates by up to three times
This makes all the difference. It’ll ensure your audit experience is as
seamless as possible.

Tip #4: Meet an Auditor

Do this now. Seriously. Finding the right auditor is critical to your project’s
success. Many businesses will wait until they have everything together
before approaching an auditor. Big mistake. You want to vet who you’ll be
working with and make sure there’s a fit before putting in all that legwork.
(More on this below, in “Choosing the Right Auditor”, page 14.)

Tip #5: Use Control Templates

Templates for implementing controls are… everywhere (seriously, just do a

Google search, and voila!). Your auditor should also have them. And so do
we. In fact, our platform is chock-full of them. Remember: you are not the
first person to complete a SOC 2 audit. Many have come before you. You
don’t need to build everything from the ground up.

The Ultimate Survival Guide to SOC 2 | 11

Mistakes to Avoid

How to Pass Your SOC 2 Audit Faster | 12

 Mistakes to Avoid

Mistake #1: You Need to Implement ALL the Security 💡 Did You Know?
Controls.

Dozens of customers we’ve worked with come to us thinking they need to

fulfill ALL the criteria for a certification or attestation. Thankfully, this just
isn’t the case.

We recommend starting small and focusing on what’s actually required,

then expanding your scope of work as needed. And always get a second
opinion!

Mistake #2: You Can Delegate Control Implementation and

Evidence Collection to Anyone.

Technically, anyone can handle control implementation and evidence

collection. But we advise against it.

You’ll want someone who: a) has a background in security, b) experience

managing a security audit project or c) an individual who can commit the
resources to intimately understanding what’s required of the project, like a
project manager.

Otherwise, you could end up throwing someone into the deep end. The
end result: they won't have the authority or influence to get things done.

How to Pass Your SOC 2 Audit Faster | 13

Choosing the Right Auditor

How to Pass Your SOC 2 Audit Faster | 14

 Choosing the Right Auditor

Interview at Least 3 Auditing Firms

Like they say, knowledge is power. That’s why we recommend interviewing

with at least three auditing firms.

Without knowing too much about your business, objectives, personality

and working style, here are four solid recommendations:

1. Armanino
2. KPMG
3. Marcum
4. PricewaterhouseCoopers

And in case you were wondering, we don’t get kickbacks from any of our
audit partners (though that would be nice).

5 Questions to Ask Potential Auditors

This is the same list of questions we provide to our customers and

prospects when they’re evaluating which auditor to work with:

1. How much time can you devote to this process? (Some auditors
offer reasonable rates because they rely on rigid processes and a
cookie-cutter approach to increase audit volumes. Make sure you
choose an auditor who will adapt to your unique situation.)

How to Pass Your SOC 2 Audit Faster | 15

Choosing the Right Auditor
Continued

2. Do you use a template to guide the process? (This is another way 🔥 Hot Tip #1
of gauging how flexible a potential auditor will be. Look for auditors
who scope each project individually based on your unique
organizational profile.)

3. Who will conduct the audit? (Sometimes, the "A-team" closes the
deal and then hands audit responsibility to the "B-team." Make sure
you know who you'll be working with.)

4. Who is the ultimate decision-maker on the audit team? (Find out

who has decision-making power, what region and time zone
they're located in, and what the process is for reaching them. You
want to know that this person is reachable and responsive to
minimize delays, frustration and miscommunication.)

5. What do your SLAs cover? (SLAs keep the auditor honest and
motivated, but they also impose expectations on you and your
team, so make sure you review those SLAs before making your
choice. In some cases, the auditor will apply penalties for delays
and changes for extra requirements, which can add up quickly if
you or your team are not ready to hit the ground running.)

The Ultimate Survival Guide to SOC 2 | 16

 Conclusion

Well, that about covers it.

If there’s one big takeaway we can offer, it’s the importance of building a trusting
relationship with your auditor. As we’ve said many times before, these people have
your back. That said, every auditor is different, and you want to make sure you
select the right one.

Once you have, don’t hold back. And if you’re using audit workflow software like
Tugboat Logic, make sure to include your vendor in the kickoff meeting with your
auditor. That way, they can work together to ensure that you succeed.

Finally, here are some parting thoughts to keep in mind:

● Don’t overcomplicate your audit prep

● Reduce the scope of your audit to what’s required—no more, no less
● Give yourself enough time to complete your audit
● And, just for good measure, work collaboratively with your auditor

Good luck and happy auditing!

The Ultimate Survival Guide to SOC 2 | 17

 About Tugboat Logic
Tugboat Logic is the Security Assurance Platform that provides
continuous compliance. Unlike traditional consulting firms, Tugboat
Logic provides automated technology to demystify the process of
creating and managing an InfoSec program. With Tugboat Logic,
companies can quickly get secure and prove it to customers.
Powered by AI, Tugboat Logic’s patent-pending technology
automates InfoSec policy creation, audit readiness, and security
questionnaire response so companies can gain trust with customers
and sell more. Tugboat Logic helps businesses prepare for audits in
half the time and at a fraction of the cost, ensures they can respond
to security questionnaires in minutes (not hours), and builds and
scales their InfoSec plan in minutes.

Start Selling More Today

Interested in turning your security and compliance program into a
business advantage? Get a free trial or contact one of our
representatives at info@tugboatlogic.com.
Copyright © Tugboat Logic 2021. All rights reserved.