Getting through a SOC 2 audit with your nerves intact (Ep. 426)

And how to make friends with your auditor.

Article hero image

Once a company reaches a certain size, their customers might start asking for proof that it has good security and data habits. They want to know if there’s a business continuity plan in place in case disaster strikes. For many companies, formalizing this proof means submitting to an auditing process known as SOC 2. If you’re a developer at one of these companies, particularly if you provide or use SaaS applications, you’ll end up having to implement the controls these audits require.

On this sponsored episode of the podcast, Ben and Ryan talk with James Ciesielski, CTO and co-founder, and Megan Dean, information security and risk compliance manager, both of Rewind. We talk about how you can prep for and successfully get through a SOC 2 audit, how backing up your SaaS data can provide business continuity, and the benefits of establishing a relationship with your auditor.

A SOC 2 report shows your customers the level of security controls that you have in place. It’s based on the auditing standards set by the American Institute of Certified Public Accountants. You tell them what controls you have in place and they verify it. Once a company starts attracting enterprise-level customers, a SOC 2 becomes a must-have.

Companies perform SOC 2 audits using a variety of tools: sometimes it’s purpose-built SaaS tools; sometimes it’s a cascade of spreadsheets. Ultimately, what’s important is providing an audit trail for your controls, a record that proves that your security does what you claim it does. Trust, but verify.

The process can grow complicated, as companies can have 100 to as many as 300 SaaS applications running in their business. That’s a lot of important business data on someone else’s cloud. Many of these SaaS applications operate data on the shared responsibility model: they ensure the service is available and secure, and you ensure that your data is accurate and secure.

A key part of these security controls is disaster recovery and business continuity. Imagine that you’re using a SaaS application to track your audit process. What happens if a disgruntled employee wrecks your data, or your cat walks over your keyboard, hitting just the right combination of keys to delete something important? Or what if you unwittingly get flagged on a T&C violation and get deplatformed? Your audit trail could be lost if you haven’t upheld your end of the shared responsibility model and backed up your data.

Ultimately, having experts who know the process can help. Your auditor, too, can be a resource, so get to know them. They want you to succeed. They want to help you improve your audit process because it makes their lives easier.

The Stack Overflow blog is committed to publishing interesting articles by developers, for developers. From time to time that means working with companies that are also clients of Stack Overflow’s through our advertising, talent, or teams business. When we publish work from clients, we’ll identify it as Partner Content with tags and by including this disclaimer at the bottom.

Login with your stackoverflow.com account to take part in the discussion.