KirkpatrickPrice
Innovation. Integrity. Delivered.
SOC 2 Compliance Checklist
The SOC 2 audit is based on a set of criteria that are used in evaluating controls relevant to the security, availability, or processing integrity of a system, or the confidentiality or privacy of the information processed by the system. What system components are evaluated during a SOC 2 audit? • Infrastructure (physical, IT, or other hardware such as mobile devices) • Software (application programs and IT system software that supports application programs, such as OS and utilities) • People (all personnel involved in the use of the system) • Processes (all automated and manual procedures) • Data (transmission streams, files, databases, tables, and output used or processed by a system)
What are your auditors looking for? • Fairness of the presentation of a description of a service organization’s system relevant to one or more of the Trust Services Criteria • Design and operating effectiveness of a service organization’s controls over a system relevant to one or more of the Trust Services Criteria What are the Trust Services Criteria? • Security • Availability • Confidentiality • Processing Integrity • Privacy
16057 W. Tampa Palms Blvd. | #134 | Tampa, FL 33647 | kirkpatrickprice.com | 800.770.2701
Compliance Checklist: ❒ Do you have a defined organizational structure? ❒ Designate authorized employees to develop and implement policies and procedures ❒ What are your background screening procedures?
❒ Is access to data, software, functions, and other IT resources limited to authorized personnel based on roles? ❒ Restrict physical access to sensitive locations to authorized personnel only.
❒ Do you have established workforce conduct standards?
❒ Have you implemented an access control system and implemented monitoring to identify intrusions?
❒ Do your clients and employees understand their role in using your system or service?
❒ Develop and test incident response procedures
❒ Are system changes effectively communicated to the appropriate personnel in a timely manner?
❒ Is software, hardware, and infrastructure updated regularly as necessary?
❒ Perform a Risk Assessment
❒ Do you have a change management process to address deficiencies in controls?
❒ Have you identified potential threats to the system?
❒ What is your data backup and recovery policies?
❒ Have you analyzed the significance of the risks associated with each threat?
❒ How are you addressing environmental risks?
❒ What are your mitigation strategies for those risks?
❒ Have your recovery plan procedures been tested and documented?
❒ Perform regular vendor management assessments ❒ Develop policies and procedures that address all controls
❒ How are you ensuring data is being processed, stored, and maintained, accurately and timely as committed?
❒ Annual policy and procedure review
❒ How are you protecting confidential information against unauthorized access, use, and disclosure?
❒ Do you have physical and logical access controls in place?
❒ Do you have a fully documented data retention policy?
16057 W. Tampa Palms Blvd. | #134 | Tampa, FL 33647 | kirkpatrickprice.com | 800.770.2701