In a SOC 2 audit, the Auditor expects you to know, understand, and enforce your controls. Vanta is being used to provide evidence that shows that you are implementing your controls. The Auditor will be looking at language very literally and as assertions that you are making about your control environment. These are the master set of rules Vanta has built for our tests. For example, your control language says you must complete the SAT before onboarding new employees. If you hire someone and do not complete SAT before onboarding, this will create an exception in your report.
- Policies all written and approved within the last year
- SLAs set
All employees onboarded/offboarded
- Ensure they include the employee's name and a screenshot of the completed module
- Screenshots for SAT checked
- For HIPAA customers, check for HIPAA SAT
Automated tests are addressed: passing is the ideal state, but if you need more time, you can open a ticket in your task tracker to show you are working on it if it is outside the SLA.
- All High/Medium severity vulnerabilities resolved or have the plan to be determined.
- Check SLA violations to be sure all have been acknowledged
Documents: have most of the documents uploaded or a plan in place to ensure the correct information is uploaded during the window
- All applicable resources uploaded
- We recommend that all documentation during the observation window is uploaded.
All accounts on the Access Page have owners assigned
- Ensure that individual users are linked to personal accounts (i.e., no shared accounts)
- MFA is enabled (when possible)
Complete security assessments for all in-scope vendors
- The databases page was reviewed, and all appropriate databases were encrypted
To ensure you are prepared before your audit, you and your CSM will...
- Review the Standards page and get an overview of Vanta's master set of controls and how they relate to tests.
- Review how Vanta collects evidence via automated tests through integrations or manual uploads on the Documents tab.
Review control language so you know what your Auditor refers to throughout your audit.
- For SOC 2 customers, review the list of controls and any custom control language (e.g., "Background checks are completed for all employees" vs. "Background checks are performed before onboarding new employees")
Prep for the "Interview" section of the Fieldwork Call and ensure you feel comfortable speaking to the ownership of controls.
- Example: The Auditor will ask your team members to explain their onboarding process and want to hear that it reflects the actual controls you have listed in the sheet.
- Review what you don't need to answer, what and what to do, and when to push back and ask for more time.
- Review the control language with the control owners, so they understand their responsibilities (e.g., HR Teams, Engineers, etc.)