Security Posture Best Practices

Frequently Asked Questions: Audits

  • Updated

 

What is the difference between a Type 1 vs a Type 2 audit?

  • A SOC 2 Type I report evaluates your company’s software, admin, and security systems and assesses the suitability of the design of the controls that your company has put in place. It's a snapshot of your controls' design at a specific time. So, this audit will be a 1 day audit.
  •  A SOC 2 Type II report goes a step further. It not only evaluates the design of the controls but also assesses their operating effectiveness over an observation window (which will be your audit period). You can discuss what window is best for your organization. This window can range from 3 months, 6 months, 9 months, or 12 months. Most organizations will start with 3 months for their first audit and then move into 12-month observation windows.

Regardless of either option, it will usually take your auditor around 4-6 weeks to issue your report, so make sure you add that to your timeline.

Do I need a Type 1 report before I get my Type 2 report?

  • No! You can start with a Type 2 report if you wish. Some organizations will do both or one or the other depending on when they need a report (as it’s quicker to get a Type 1). Some factors to consider when deciding which report to start with are cost, timeline, and what your customers are expecting.

When does my observation window start?

  • You and your auditor will choose when your audit starts. Ensure you add the audit into the platform and edit the dates if needed before the audit window begins and communicate the dates you’ve added with your auditor. (Just because you have dates selected doesn’t mean Vanta will automatically start the audit. You must make sure your auditor is also aware)

How do I know if I am ready for audit? What do I need to do to ensure I don’t get any exceptions on my report? 

  • From a high level, we recommend getting all of your AUTOMATED TESTS in Vanta to 100% and discussing with your auditor when they want your DOCUMENTS uploaded. Some auditors prefer that certain documents be uploaded before or during the observation window. Ultimately, your auditor will have the final say on what they expect to see finished in your Vanta account before they recommend starting the audit.
  • Audit exceptions can happen, and all exceptions are not created equally. To avoid exceptions, we recommend reviewing our Audit Readiness Checklist and meeting with your auditor prior to the audit to review your Vanta account.
      • You will get your report regardless of exceptions. There is no pass/fail. 
  • To learn even more about SOC 2 and the audit process, check out our SOC 2 Collection, which offers many resources.

How do I know if I have an auditor?

  • When you originally signed up with Vanta, you purchased just the Vanta software or both the Vanta software and a Seamless Auditor Bundle. If you bought the bundle, the person on your team who signed the Vanta contract will receive an email introduction from your account executive to your auditor. 
  • If you just purchased the Vanta software, then you didn’t sign up originally with an auditor, and you will need to request some introductions so you can choose an auditor to work with (instructions below)

How do I contact my auditor?

  • If you have an auditor through a Seamless Bundle, you can reply directly to the email they sent you to begin this working relationship. If you don’t see this email, contact your CSM.
  • If you didn’t sign up with a Seamless Bundle, you can request introductions to a few of our audit partners in two ways: through your Starter Guide or by contacting your Vanta CSM and asking for a few introductions. These introductions usually take a few days, so keep that in mind with your timeline.

What should I consider when choosing an auditor?

  • Cost, timeline, location, and general likeability!

Can I work with my auditor outside of Vanta's preferred partners?

  • Yes, you can! Just let your CSM know so they can ensure your auditor has the right Vanta training
  • The benefit of working with a Vanta Audit Partner is that they understand and have adopted the Vanta platform into their workflows for more efficient evidence collection. This reduces the amount of evidence asked for outside of the platform, ultimately making your audits run more smoothly. 

What questions can I ask my auditor, and how should I work with them?

  • We recommend selecting and building a relationship with your auditor when you join Vanta. They are another partner here to help you prepare for a successful audit.
  • Auditors help you define the scope of your audit and are a great resource for you as you get audit-ready. 
  • If your organization doesn’t perform a certain practice being asked for in Tests/Documents, you’ll need to discuss this with your auditor. (ex: you don’t have a board of directors) They can tell you if it is a hard requirement or if there is different evidence you can provide instead.
  • Remember, they are your go-to for any requirement or scoping questions.

Customers are asking for proof that I am starting an audit; how do I do that?

  • You can ask your auditor for an Engagement Letter. This shows your customers that you are actively engaged with an auditor and are working towards an audit. It should help satisfy your customers/prospects until you have your report in hand.

I am in Audit! YAY! What’s next?

  • During the audit window, we recommend checking the TESTS page daily to ensure you meet all SLAs for remediations. Essentially, we don’t want any RED tests. Keep Vanta Green and avoid the following:
  • DO NOT disable any tests on the Tests page—if this is needed, don't hesitate to get in touch with your auditor.
  • DO NOT scope any users or systems out on the Connections page.
  • DO NOT enable any Development or Test environment resources on the Connections page.
  • DO NOT disable any Production environment resources on the Connections page.
  • DO NOT change the SLAs on the SLA’s page.
  • DO NOT alter any uploaded documents, including policies, organization charts, job descriptions, etc.
  • It is normal NOT to hear from your auditor much during your observation window, so don’t worry if this is the case. 

My Audit Window is complete! What’s next?

  • Once the observation window is complete and the findings are documented, the auditor will prepare a report summarizing the scope of the audit, the controls tested, any deficiencies identified, and the overall compliance with the SOC 2 criteria.
  • If any deficiencies or areas of non-compliance are identified during the audit, you will be allowed to address these issues and implement corrective actions.
    • The final report is issued after addressing any issues identified during the audit!

I now have my report! What’s next?

  • CONGRATS on this major milestone; make sure you share this accomplishment with your network (and use these resources to help do so!) If you also purchased Trust Center, you can share this with customers and potential prospects to show off your compliance posture (if you didn’t and are interested, reach out to your Account Manager to learn more)
  • We recommend keeping Vanta GREEN so you can maintain your controls and make the audit much easier to prep for next time. This is also a great chance to implement anything you learned from the audit.
  • We also recommend scheduling a business review with your Account Manager so you can identify additional opportunities to continue building and maturing your compliance program (is now a good time for GDPR or ISO 27001?)