This section of this website as a guide for those service organizations that provide technology solutions to regulated industries such as finance, health, or government, and who need to undertake a SOC-2 audit.
Anyone familiar with the standard way that many large financial institutions handled SOX probably dread the word 'audit'. They likely associate it mindlessly repetitive and seemingly pointless work involving lots of paper trails.
Happily, it doesn't have to be that way. As I rather breathlessly point out in "Why undertake an audit", I believe that there are real benefits to be had. And I believe that the key to the whole thing lies in promoting the undertaking not in dull terms like "the auditor says we must..." or "the clients have told us to..." but rather in terms of a process improvement undertaking with:
Here, I'm talking about:
With all of that said, let's look at what is involved with a SOC-2 audit.
What's the scope on a SOC-2 audit for a technology service organization?