We’re often asked by customers embarking on the SOC 2 journey, “Can we skip the SOC 2 Type 1 and go straight into a Type 2?”
They reason that instead of paying for two audits, they would only pay for one. It seems like an easy choice, right? However, this is not a decision to be taken lightly, as there are many pros and cons to jumping directly into an SOC 2 Type 2 audit. The cost can be higher overall, more effort is involved without any time saved and there is a greater risk of discrepancy on your SOC 2 report. While it is possible to take a ‘running start’ to a Type 2, it is rarely recommended. The driving force behind the decision to aim for a running start must be so compelling that the end result will outweigh the risks.
There are some misconceptions floating around regarding the process of achieving an SOC 2 Type 2 via a running start. Here are a few myths debunked:
Myth One: Going straight into a SOC 2 Type 2 will be faster than the typical route.
Not necessarily. If your auditor finds a control issue (aka a test deviation), you will need time to remediate it and to find enough samples for your auditor to test. Not having enough samples could delay your auditor by up to 45 days. Also, consider the outcome of the report. Ideally it will be pristine, meaning an ‘unqualified’ audit opinion with no deviations. A running start increases the risk of a ‘qualified’ report with many deviations. While having a report with a handful of deviations may be acceptable, it is far from ideal. Note that even AWS and Azure have deviations in their control environment every now and then, but they are industry behemoths that can afford a control hiccup or two.
Myth Two: Going straight to a Type 2 will cut down on the cost of the audit.
It might. However, it’s important to consider the number of hands on deck required to prepare and then get through the audit. If developers get sucked into compliance, which is possible in smaller organizations, their involvement will impact the speed with which product enhancements or functionality get out to market. In small organizations, this may not be an acceptable tradeoff. Additionally, the audit will be delayed if your auditor discovers that some of your processes or controls are not operating at an acceptable level. In this scenario, a Type 2 audit can be delayed, precipitating the need for retesting and more audit fees.
Myth Three: My organization is ready.
Maybe, but how do you know for sure? Processes will need to be clearly defined, repeatable and working flawlessly every time. New processes can be cobbled together to meet an audit requirement, but the tradeoff may be a poorly designed, cumbersome and temporary solution. In your haste to become audit-ready, you may inadvertently impact the culture at your organization. For example, rolling out a new change management process without considering the impact to those who must follow it may lead to circumvented controls as your developers push back.
The Safer Bet: A Readiness Assessment
A more prudent route is to invest in a readiness assessment so you can see exactly where you stand, where you may have gaps in coverage and how to effectively bring your people, processes and technology into the compliance fold. After a readiness assessment, you may indeed be ready to dive into a Type 2. Or, if you’d like an independent audit of your program, you can engage an auditor for a Type 1. The benefit to this approach is if the auditor finds a process that is poorly designed, you will have time to tighten up the process prior to your Type 2.
One other consideration is that for a Type 2, the auditor will repeat some of the same procedures they performed for the Type 1. If the goal is a Type 2, you could work with your auditor to negotiate a fee structure that makes sense if you are tackling two audits within the same six to nine month period.
Standing up an audit-ready compliance function will be a substantial effort that will pull folks away from their important day jobs. Getting audited will then compound the impact. The decision to undertake a running start approach to a SOC 2 Type 2 must be carefully considered. If the Type 2 is a roadblock to a key contract, then it may be worth the risk and effort. If you do decide on a running start, budget for extra help to get you over the hurdle, such as third-party consultants or automated compliance solutions.