Once the company decides to go through the audit, the process typically consists of the following steps:
Readiness Self Assessment
This step establishes if necessary controls have been designed and are operating effectively. This step also includes the establishment of the audit’s scope. The readiness assessment may be conducted by the company’s internal resources, a CPA firm, or a consulting company.
This step involves addressing the gaps identified in the Readiness Self Assessment. The CPA firm performing the audit cannot be involved in this step to avoid any conflict of interest. For this reason, this step is performed either by the company or by a consulting firm, like Planet 9.
SOC 2 Type II Audit
In this step, the selected CPA firm performs the audit. The audit can be only performed by an independent CPA firm. It can be the firm involved in the Readiness Assessment or another CPA firm. However, this step still requires significant resources commitment from the auditee (the company) as the company will have to provide a lot of documentation and perform evidence testing.
After a report is issued, the work does not stop. The company has to maintain, improve, and monitor the audited controls in order to ensure a successful audit report the following year.