what it takes to pass a SOC-2 audit


Getting through a SOC-2 audit covers things like:

If your firm is publicly traded, it can also include: "Entity level" matters such as governance, the role of the board, and how the firm deals with its public filings.

The source material for the latter is COSO, but at heart, a SOC-2 audit typically has a scope made up of one or more of the following "trust services principles". Quoting the AICPA's website on the subject:

The following principles and related criteria have been developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) for use by practitioners in the performance of trust services engagements:

It all sounds so easy. But within those five "principles" are hundreds of criteria, organized in a giant 55 page table. These criteria repeat within the five principles, but I don't think they can be adopted by a service organization without hundreds of internal controls being adopted. I have managed to cover all but the "privacy" criteria in about 250 controls (the "privacy" criteria deals in personal information, and because a service organization doesn't directly deal with the end user as would an e-commerce operation, it's hard to put the privacy criteria to work).

managing controls for a SOC-2 audit


To get through an annual service audit, someone has to monitor the controls in place—at all times.


©2019-2022  michael werneburg.  michael@werneburg.ca