Checks We Perform

CC9.1 Were controls modified to address the changing risk landscape? (mitigating risks that lead to business disruption)

CC6.1 Does the report include testing of access controls beyond cloud infrastructure? (protection through logical access)

CC6.4 Are physical environments for critical roles and processes considered in the testing performed? (physical security controls)

CC6.6 Are controls for source code management, intrusion prevention, and security group hardening included in access control testing? (additional points of focus for logical access)

CC8.1 Were change tickets compared against system changes to discover undocumented changes? (change management best practices)

P1.1 Were privacy principles evaluated beyond security principles? (what is the difference between privacy and security)

C1.2 Have client agreements been inspected and compared against data repositories to ensure data disposal procedures are followed? (how contractual obligations impact confidential information)

A1.2 Does the backup process all critical data supporting the system? (data backup processes)

PI1.3 Were custom control descriptions written to capture the unique service delivery controls of the organization? (what is a service delivery walkthrough)

A1.3 Does the recovery plan testing include the restoration of data to ensure data integrity objectives have been met? (testing your business continuity and disaster recovery plan)

CC4.2 Have the ongoing processes for monitoring of operational effectiveness been tested? (who is monitoring internal control)

CC3.2 Does the scope of the risk assessment include risks across the organization beyond IT threats? (What types of risks does your organization face)

CC1.2 Have board members been interviewed to emphasize their cybersecurity and compliance obligations? (SOC 2 Academy: A Board’s Independence from Management)

CC2.2 Has a sample of employees been interviewed to ensure they understand and acknowledge their internal control responsibilities? (communicating with internal parties)

CC2.3 Do client agreements and shared responsibility models communicate the client’s role in maintaining internal control? (Communicating with external parties)

1.1 Does the scope of the SOC 2 report include the people, processes, and systems necessary for the proper functioning of internal control? (The importance of scope)

1.2 Did testing procedures include observations and sampling beyond interviews? (Why demonstration is necessary to quality audits)

1.3 Were custom control descriptions created by the service organization to reflect the unique nature of their environment? (quality reports delivered by professional writers)

1.4 Is the audit firm qualified to perform the engagement? i.e. skills, experience, compliance (Choosing the right audit firm)

CC7.2 Has vulnerability management been integrated with the build pipeline? (performing code review prior to release)

CC7.4 Was a sample of incidents inspected to evaluate the incident response process? (incident response best practices)