2

One of our clients is demanding that we complete a SOC 2 Type II audit. There is no way we will meet the standard, and, considering we only handle publicly available data, it is ridiculous that they are asking for one. We're talking about 6-8 Excel files per year that represent a very small but critical part of our business. Unfortunately, we have no choice but to comply.

I am looking for some guidance on how to bring our systems up to standard. I handle our internal IT via google search, most of our services are cloud-based, and we contract for support as needed on our internal server.

We need someone to manage the changes and documentation of our systems for the auditors. The company we contract with for IT support wants no part of this. We can't hire a full-time IT person, but we could hire a contract employee to carry us through this process.

Would it be better to hire an individual on a contract basis, or to contract with an IT company? Where would I even find a company to handle this sort of thing? Any help is greatly appreciated.

schroeder
  • 129,372
  • 55
  • 299
  • 340
user1454170
  • 21
  • 1
  • You need an auditor to do the audit. Do they want a Type 1 or Type 2 audit? – schroeder Sep 24 '18 at 19:02
  • There are lots of sites that walk you through the process, like https://www.protiviti.com/UK-en/insights/soc-2-readiness, but ultimately, you need to engage a qualified auditor that can offer this kind of audit. You might need to decide if this client just needs to be let go. – schroeder Sep 24 '18 at 19:04
  • They need a Type 2 audit, and letting them go is not an option for the company's continued success. All of our clients will probably require this eventually. My biggest problem isn't finding an auditor, but finding someone who can put the systems in place to prepare us for an audit. – user1454170 Sep 24 '18 at 19:20
  • Ok, then this question is far too broad. I'm not sure how we could help. There's no way for us to know how much work would need to be done to advise on whether you need a full-time or part-time IT employee. – schroeder Sep 24 '18 at 19:23

1 Answers1

0

When I kick off a SOC2 audit I screen at least three vendors based on he following criteria:

  • Duration of audit
  • Do they provide a pre-assessment checklist/self assessment
  • Duration from end of audit until report delivery
  • Cost
  • Sample work product
Joe M
  • 3,002
  • 1
  • 7
  • 13