Everything you need to know ahead of your SOC 2 audit

The technical answer is:

• Define your SOC 2 scope (systems, services, Trust Principles).

• Ensure policies, procedures, and controls are implemented, documented, and followed.

• A readiness check helps identify and fix gaps before the audit.

More practically, on the basis that you’ve already progress with the abbe list, as you get nearer to the audit, Tempo will need to review your evidence, so in advance of the audit, you need to ensure that the evidence is prepared.

If you're using Drata or Vanta, you'll need to ensure that the correct evidence is uploaded to the platform.

If you're using any other system/platform, you'll need to follow Tempo / Sensiba's request list process and upload the evidence to the Sensiba "Pillar" platform for us to review.

[N.b. failing to upload this evidence might cause delays to the audit schedule].

The audit phase will cover a 2 week period in which Tempo will conduct all the testing.

We'll schedule a short opening meeting at the beginning of the audit, and a short closing meeting at the end. In the middle, we will review your evidence, and may be in touch with additional requests as required - but we will seek to make this an agile, fast-moving experience.

The testing we'll conduct will include control testing, document review, and interviews.

Thereafter, Tempo will pull together our report for Sensiba's sign-off and issuance. This could happen within 1 - 2 weeks of the 2-week audit period ending.

We offer integrated ISO 27001 and SOC 2 Audits. Because there's a relatively large control overlap, we'll look to leverage this to make a smoother integrated audit process.

Tempo will help structure this with you, but we'll typically look to combine an ISO 27001 Stage 2 with either the SOC 2 Type 1 or Type 2.

In this instance, we'll cover all the ISO 27001 controls in the more structured ISO 27001 audit process, and then deliver targeted additional testing and evidence for SOC 2 thereafter.

Aside from the opening and closing meetings, our SOC 2 audits are almost completely asynchronous/agile.

You'll either upload the evidence to the Sensiba / Tempo pillar platform for us to review (or Drata / Vanta if you're using one of those) - and Tempo can then review asynchronously. Follow-up requests, as needed, will be sent to you via email, Slack or Teams (whichever tool you agree upon with the auditor). In limited circumstances we might need additional meetings, but the whole process will operate largely asynchronously.

That said, you do need to be ready to provide additional evidence or respond to auditor requests as they arise!

The audit will be delivered over a 2 week period. We typically provisionally book this period in advance, but ultimately we will only aim to start it when you are ready to be audited.

The actual 2 week period is largely asynchronous - so we will have a scheduled opening meeting (typically on the Monday morning) and a scheduled closing meeting (typically on the Friday 2 weeks later) but the rest of the time is agile, so we won't require you to be there for start or finish times each day.

Remote audits are fully supported and expected!

Most of the audit is agile / asynchronous - but when we do require a video call (normally the Opening and Closing Meetings), we will typically arrange this through Google Meet (but are happy to flexible if you have a preference to use Zoom or Teams)

Yes, but we ask you to communicate as soon as possible when you realise a delay is required.

We'll always look to be as flexible as possible - and in any event, we won't start the audit unless your evidence is gathered and ready for us to review.

Please note that if we need to reschedule, you may need to work to amended auditor availability.