The Strike Graph Assessment Team performs SOC 2 audits through a process of three stages. The Customer Success Manager (CSM) may facilitate communication between the audit team and the organization in order to streamline the process.
Pre Audit (Type 2 only)
If you are pursuing a Type 2 audit, we request that you upload all Population type evidence items about one week before your official audit kickoff date. Our auditors will use the week before the official kickoff date to select samples, and the sample requests and any additional population requests will be communicated via the Document Request List (DRL).
Audit Stage One
On the Monday that your audit commences, the auditor will export your organization's audit package (all controls and evidence items must be satisfied at this time!), which includes the control-to-criteria mapping, all evidence attachments, and the System Description.
After an initial review is complete, the audit team will prepare feedback and share any follow-up requests via the Document Request List (DRL). A DRL will always be generated for a Type 2 audit, as the DRL is used to communicate the auditor's sample requests. Once you receive the DRL detailing any follow-up requests, the audit moves into Stage Two.
Audit Stage Two
Your organization will need to address auditor feedback using the DRL in a timely fashion. A response time of 1-2 business days is expected; please let the auditor know if you will need additional time. All follow-ups on the DRL will be satisfied through an additional or revised evidence item uploaded to the Strike Graph platform, or through clarifying context written by the organization in the corresponding DRL column.
Once you have addressed the first round of follow-ups, indicate their Status as Done within the DRL. The Status update alerts the auditor to generate a new export package and review your organization's updated materials.
The above process is repeated as necessary until all controls/criteria are satisfied in alignment with the SOC 2 framework. Once all follow-up items have been satisfied, the auditor will inform you that no follow-ups remain, and the audit will move into Stage Three.
Audit Stage Three
The audit team prepares and sends the SOC 2 draft report to the CPA and your organization for both parties to review. Both parties may request content changes during this stage; the audit team will share the draft report with an invitation to suggest edits. Generally, these edits comprise tweaks to the System Description, formatting changes, and/or clarifications on to whom the Management Assertion should be addressed.
After the CPA and your organization approves the draft report, the SOC 2 final report is sent for signature to both parties. Once the report is finalized with both required signatures, the audit is considered complete!
Post Audit
Soon after the audit concludes, your CSM will reach out with additional information on how Strike Graph can best support your organization’s continued compliance journey. For some organizations, that involves maintaining existing controls and evidence. For others, this is a perfect time to build on your success by adding frameworks.
This closing call also allows an opportunity to talk with your CSM about any recommendations made by the auditors and how to best position and prepare your organization for a Type 2 audit.