It is incredibly time-consuming to find the right person to join your team. A key step in this process is due diligence and understanding your potential new employees' past. Depending on your industry, you’ll either conduct a background check or a reference check (or both) during this process.

A background check is an examination of someone's past, especially their educational and work history, and whether they have ever committed any crime. A reference check is the process of connecting with previous employers, colleagues, and/or personal connections of the prospective new hire to get an understanding of their work ethic, demeanor, and other desirable traits.

​​For some organizations, a background check is a costly overkill. Consider your industry and risks to the data your organization holds or processes or the processes your organization performs, and then assess the risk of not having formal background checks. Is a reference check sufficient to cover any risks?

You'll need to provide support that a background check or reference check (depending on your process) was conducted for a new hire before employment. This can be an invoice from the background check service, the specific background check results with PII obscured, or a copy of the reference check notes.

Auditors will expect to see that all new hires during the audit period (or audit window) have undergone either a background or reference check (depending on which you have chosen to conduct). The auditor will request a sample of new hires and check that either the background check or the reference check has been completed (or both, if that is your process).

Some auditors will strongly suggest that background checks be re-done annually. If you are in a high-risk industry (defense, financial, health care), you may want to perform annual background checks on segments of your employees.

CheckR

Karma Check

Certn

For more SOC 2 evidence guidance, check out our Evidence Collection or contact your CSM directly.