Many of our clients rely on us to maintain certain controls that protect various areas of our business. These controls are called “Trust Services Criteria,” and they are tested by a third-party auditor on an annual basis. This means that every year, an independent auditor evaluates Deft’s controls to determine whether they are effective.
Any participating organization has the opportunity to select the Trust Services Criteria that apply to them. At Deft, we participate in all five:
- Security – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability – Information and systems are available for operation and use to meet the entity’s objectives.
- Processing Integrity – System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality – Information designated as confidential is protected to meet the entity’s objectives.
- Privacy – Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
The auditor will start to collect information, reports, screen shots, and log files to determine whether Deft’s controls were in place and operating effectively. This process starts near the end of our audit period which is June 30th. Once all of the evidence is gathered and tests have been performed, a report is generated so that we can give to our customers. This report takes some time to produce, and we usually see the report issued mid-August for us to review for accuracy. Once everything looks good, a final report is issued and ready to get distributed to our customers. A final report is typically available at the beginning of September.
Each audit is considered a “look-back,” meaning the auditors examine reports and logs from the prior 12 months to ensure that all stated controls were in place and operating effectively. We are often asked for a report that covers the current year and sometimes into the next (e.g., 2021 and 2022). Unfortunately, that’s not how the process works, as we are only audited on whether the controls were in place and how effective they were.
Deft’s audit window is based upon a fiscal year that begins on July 1st and ends on June 30th. Because some of our clients’ vendor management cycles end in December, September, or even March, the variation in fiscal years between organizations causes a gap. To address this, we provide a bridge letter to satisfy customer requirements for their vendor management period.
We sometimes get urgent, same-day requests for bridge letters. This puts us in a difficult position, as a bridge letter has to attest to the following:
- There are no material changes in the control environment outlined in our last report;
- The description of the controls outlined in the last report are still in place; and
- There have been no significant control deficiencies with the controls described in the report.
Depending upon the size and complexity of an audited organization, the effort required to officially validate the bullets noted above could be substantial – well beyond a day.
We recognize the importance of these requests and the need for immediacy. But a bridge letter is far more than a Word document we create on the fly to satisfy a particular client’s request. Should an urgent situation arise, please let us know as early as possible and we will work with you in advance to be sure your timelines can be met.
As you can see, there is a lot of effort put into the SOC2 audit process, as well as processes that exist outside of the audit period (such as preparing bridge letters). We hope this post answers some of the common questions we receive in regard to the SOC2 audit, audit periods, and bridge letters.
As always – don’t hesitate to let us know if there any questions you may have on the process.