Testing
During a SOC 2 type 2 audit it was noted that the background checks were not completed for 10 of the 20 sampled new hires.
How should we test this scenario?
Confirm reasoning with management and add the exception to the report.
The staff are responsible for reaching out to the client to confirm fieldwork and FieldGuide access.
False. This is the senior's responsibility.
The SOC 2 type 2 period is May 1, 2022 to April 30, 2023. The client provides the new hire listing that covers the period May 1, 2022 through March 15, 2023.
Is there an issue?
Yes. The population listings should cover within 2 weeks of the audit period end date.
You are completing testing for a SOC 2 type 2 audit covering the period January 1, 2022 to December 31, 2022.
The control states: Policies and procedures are reviewed and approved at least annually.
Is there an issue?
Yes. The ISP was reviewed/approved outside the period.
Everything is hosted in AWS so we don't have anti-virus. Is that ok?
This would depend as we typically end up carving out workstations and the corporate network if everything is hosted in a cloud environment.
However, some cloud environments allow users to still install AV in the environment or clients may utilize something like Crowdstrike (and EDR solution) to cover monitor their environment.
You should work with the client to determine the AV capabilities within the environment and if there are any monitoring controls in place.
During a SOC 2 type 2 audit it was noted the anti-virus solution was replaced halfway through the audit period.
How should we test this scenario?
Note the change to the control environment and test the control prior to the change and then after the change.
Laptops and workstations are ALWAYS in scope for SOC 2 audits.
False. Laptops and workstations may not be in scope if the system is hosted within the cloud. However, the scope would be based on how the laptops/workstations are being utilized, what security controls are in place, and overall just if the client wants laptops/workstations covered.
During a SOC 2 type 2 audit it was noted the employee roster has 180 active employees. Wolf selected a sample of 25 employees.
Is there an issue?
Yes. The sample size should be 14 employees.
You are completing the testing for a SOC 2 type 2 audit for the control:
Major product releases are communicated to customers.
Is there an issue?
No. This is appropriate as the release notes are posted on the external site.
We don't perform background checks on new hires prior to their onboarding date. The background checks are completed after onboarding but their employment status is contingent based on the results. Is that ok?
Yes, as long as we can confirm background checks are completed within a reasonable time and the employment status is contingent based on the results.
Note: Discuss with the senior/manager on the job what is considered timely.
There are multiple in-scope systems within the SOC 2 type 2 report. There were no performance monitoring alerts generated during the audit period for 4 of the 10 systems.
How should this be documented within our testing?
Break up the control to test the alerts for each system and note the control did not operate for the 4 systems that did not generate an alert.
You are performing a SOC 2 type 1 audit with an as of date of December 31, 2022. The control states:
The Company performs background checks on all new employees and contractors.
The next step is to select a sample of new employees and new contractors to review evidence of the background checks.
False. You do not sample during a SOC 2 type 1 audit.
You are completing the testing for a SOC 2 type 2. The control states:
Employees and contractors are required to acknowledge the Information Security Policy (ISP) and Acceptable Use Policy (AUP) upon hire and annually thereafter.
There were a total of 200 new hires during the audit period. You select a sample of 20 new hires, test the ISP acknowledgements for each, and confirm they were all signed upon hire.
Is there an issue?
Yes, there are multiple issues.
1. The sample size should be 14 new hires
2. You did not test the AUP acknowledgements
3. You did not test the annual ISP acknowledgements
You are completing a SOC 2 type 2 audit covering the period January 1, 2022 to December 31, 2022. The control states:
The Company has purchased insurance policies to offset the financial impact of business disruptions, including disruptions arising from cyber events.
The following insurance policy was provided. Is this an issue?
Yes. The insurance coverage does not cover the full audit period.
You are performing a SOC 2 type 2 audit covering the period January 1, 2022 to December 31, 2022. The client asks, "we are currently updating our BCP. The last review was performed in 2019. Is that ok?"
No. The BCP needs to be review/approved within the last year (in this example, during the audit period).
Multiple user accounts can not be verified against the roster and generic user list during a type 2 audit.
How should we test this scenario?
1. Compare the "unknowns" to the termination list, new hire list, and active contractor list (if provided).
2. If there are still accounts that cannot be verified, confirm the accounts are active within the system.
3. Ask the client to confirm the employment status of the unknown accounts.
4. If the client is unable to confirm the employment status or they determine the accounts to be unnecessary or terms, make an exception.
5. Update the user list testing and the test result to clarify the steps taken. The user list should NOT have any accounts marked as "unknown" once complete.
Companies can have both a SOC 1 and SOC 2 report.
True
In a SOC 2 audit, the password minimum length for a system is 6 characters. MFA is enforced and the system cannot be accessed outside the Company's network.
Is there an issue?
No. We recommend stronger password controls as a best practice recommendation but MFA is a compensating control so this would not be a SOC exception.
You are completing a SOC 2 type 2 audit covering the period January 1, 2022 to December 31, 2022.
The control states: A third-party is contracted to perform penetration testing against the production environment on an annual basis. All results are reviewed by management and remediation action(s) are based on the risk ratings and the availability of resources.
Is there an issue?
Yes. The report is from outside the audit period.
We are performing ongoing daily vulnerability scans. Any issues identified would alert the Tech Ops group and a ticket would be created. Is this sufficient for a SOC 2 type 2?
Yes. As long as evidence of the daily scans and alert config, and an example ticket from during the audit period can be provided as evidence.
The Company is unable to provide screenshots of the SIEM.
How should we test this scenario?
Ask to schedule some time to observe the SIEM and update the test to an observation test. The observation should include the types of events being monitored and the alerting configuration.
The client is struggling with providing you with the correct screenshots of their SIEM. An observation test would be sufficient.
True. When observing, make sure to observe the events being monitored and the alerting config. Try to take screenshots to reference within the testing.
You are completing the testing for a SOC 2 type 2 audit covering the period January 1, 2022 to June 30, 2022.
The control states: User access for the technologies supporting the system is reviewed for appropriateness on an annual basis.
The client states the user access reviews are completed annually in October. Is this an issue?
Yes. This is an example of the control did not operate during the audit period. This would be noted within the control and in the report. The client should also provide evidence of the last review that was performed as evidence the annual user access reviews are performed in October.
You are working on a SOC 2 type 1 audit. The control states:
Various event log management solutions are configured to collect logs of security events on the production network. Real-time alerts are generated and sent to appropriate personnel for specified events.
The client provides this following screenshot. Is there an issue?
Yes. The screenshot provided shows performance and capacity metrics are monitored, not event log management.
What is the difference between change management and SDLC?
Change Management = Generally related to modifying the infrastructure by adding in new servers/ devices, modifying configurations, or other logical security changes. Change management could include physical controls (e.g. installing new door locks) depending on the actual boundaries of the system.
SDLC = Tends to apply when the Company offers a software as a service and is constantly updating code for the product.