Congratulations! You just got your Series A funding.  You have an awesome idea that investors have bought into.  You’re ready to change the world with a product that will make your clients’ lives so much easier.

Now you have the attention of a big potential client, and you’re ready to propose.  Then you read the RFP.  The prospect is ready to move forward, and you’re ready to help them – but one of their requirements to do business with you is that you undergo a SOC 2 exam.

Or maybe you’ve worked at other start-ups, so you know that strong internal controls surrounding data storage or processing will help your business scale, and differentiate you from your competitors on the tech scene.

SOC 2 reports (and the underlying compliance) are not the result of a “set it and forget it” approach; they are the outcome of an ongoing commitment to strong internal controls that comes from the top and cascades to the bottom of your organization.  It involves planning, documenting, testing, and adhering to all appropriate controls.  The other commitment – a financial consideration – is to hire a service auditor to perform testing across time, with annual reporting requirements.

No one wants to fail their first SOC examination – and your user entities (your clients) can require a clean report.  Here are the Top 20 boxes you need to check to get started.

  • We have a defined organizational structure.
  • Designated employees develop and implement policies and procedures that address all appropriate controls, and they review these on an annual basis.
  • We have background check procedures appropriate for our organization.
  • We have established workforce conduct standards.
  • Our employees – and our clients – understand their roles and responsibilities in using our system or services.
  • Appropriate personnel are timely notified of system changes.
  • We have performed a Risk Assessment, identifying potential threats to the system and analyzing the risks of each of these threats. We have mitigation strategies for those risks.
  • On a regular basis, we perform vendor management assessments.
  • We have controls surrounding both physical and logical access.
  • Access to software, functions, and data is limited to authorized users, and we take a least-privilege, role-based approach.
  • Locations containing sensitive data are restricted to authorized personnel.
  • We have an access control system, and we monitor it to identify intrusions.
  • We have documented, tested incident response procedures.
  • Our software, hardware, and infrastructure are updated as necessary and on a regular basis.
  • Our change management process addresses deficiencies in controls.
  • We have documented, tested data backup and recovery policies and procedures.
  • We have considered environmental risks, and addressed them as appropriate.
  • We ensure data is processed, stored, and maintained, with accuracy and timeliness that matches established service levels.
  • We have controls that protect confidential information against unauthorized use.
  • We have an appropriate, documented data retention and destruction policy.

Whether you’re just starting to think about getting your controls in place and need help, or you feel like you’re all ready for your SOC 2 exam, someone from Peterson Sullivan’s IT Risk team is here to help.

For more information, please contact or IT Risk Leader Nick Norton or IT Risk Manager Bryan Geels.

Our Firm
Peterson Sullivan is a Seattle-based CPA and advisory firm known for the expertise we bring to publicly traded and closely held middle-market companies, nonprofit organizations, and high-net-worth individuals throughout the Pacific Northwest and around the world.
PS Wealth Advisors, LLC is a registered investment adviser in the state of Washington. The adviser may not transact business in states where it is not appropriately registered or exempt from registration. Individualized responses to persons that involve either the effecting of transactions in securities or the rendering of personalized investment advice for compensation will not be made without registration or exemption.