Skip to main content

SOC 2 Type 1 audit for internal auditors

This article is part of the SOC 2 best practices series.

Note: Review the introductory article on SOC 2 best practices and the associated SOC 2 workbook.

Hyperproof is a robust, all-in-one compliance operations platform that allows organizations to stay on top of all their security assurance and compliance work. With Hyperproof, organizations can identify compliance requirements, implement controls, collect and store proof, automate routine tasks, and much more.

Many organizations prefer to conduct their audits directly in Hyperproof to eliminate the typical back-and-forth between the organization and the auditor. Using Hyperproof also helps organizations greatly reduce the number of times clients are asked for the same evidence by different audit teams.

As an auditor, your role in Hyperproof varies depending on the client’s preferences—some clients may grant an auditor full access to their Hyperproof organization, while others may add an auditor as a contact, meaning that the auditor never actually logs in to the platform.

For auditors who are added to their client’s Hyperproof organization, you will be able to review all documentation the client has uploaded to Hyperproof, as well as communicate with the client right from the platform. Hyperproof keeps historical records with version control, so both you and the client can stay up-to-speed

with the audit in real-time.

Conducting a SOC 2 Type 1 audit in Hyperproof consists of the following three phases:

  1. Control preparation

  2. Gap assessment and remediation

  3. Conducting the audit

The following steps are a suggested workflow for conducting a SOC 2 Type 1 audit in Hyperproof. You’ll find clearly defined steps for each phase of the audit, as well as instructions on how to complete those steps using Hyperproof. You’ll also find steps and instructions for client-related requirements in case your client becomes stuck and needs help completing a task.

Step 1: Control preparation

The first step is to identify the set of controls you plan to use. You can write your own or use Hyperproof's controls. If you use Hyperproof's controls, review them to ensure they meet your organization's needs, keeping in mind the level of compliance you aim to achieve.

Identifying a control set for use

If you plan to use Hyperproof's illustrative controls, follow the steps below. Otherwise, go to the next section, Tailoring controls to your organization.

  1. From the left menu, select Programs, then click New.

  2. Search for the SOC 2 framework, select it, and configure the Review template.
    The review template allows you to select Trust Service categories. For each category you select, controls are added to the Program.

  3. Expand the sections on the right to review the requirements.

  4. Click Next.

  5. Add a name and optional description for the new program.

  6. Click Create.
    The Add controls to program window opens.

  7. Select a tab to do any of the following:

    1. Add controls - Hyperproof adds a set of illustrative controls to your program. By default, all controls are selected. Clear the checkboxes next to any controls you don't want to include in the program. Click Add.

      Note: These controls are provided to help get you started. You can always customize them or remove them later.

    2. Reuse existing controls - Hyperproof looks for jumpstarts— like controls that already exist in your organization. Select the checkbox next to the program with the controls you want to reuse, then click Add controls.

  8. Click Add.

Tailoring controls to your organization

If you don't want to use Hyperproof's preconfigured controls, work with your auditor to write a set of controls that meet your needs and align with the requirements for your SOC 2 audit. When that set of controls is complete, continue with the next section.

Creating a SOC 2 program

If you have written your own controls and they have been approved, create a SOC 2 program, follow the CSV template requirements for importing controls, then import the controls CSV file to populate your new program.

  1. From the left menu, select Programs.

  2. Click New.

    The Select template window opens.

  3. Search for and select the SOC 2 framework.

    The Review template window opens. The review template allows you to select Trust Service categories. For each category you select, controls are added to the Program.

  4. Expand the sections in the right panel to review the requirements.

  5. Click Next.

    The Create program window opens.

  6. In the Name field, enter a name for the program.

  7. Optionally, in the Description field, enter an overview of the program.

  8. Click Create.

    The Add controls to program window opens.

  9. Select Import controls - Import your own existing set of controls into Hyperproof. For more information on importing controls, refer to Importing controls into an existing program.

  10. Click Add.

Creating a label library

This step is optional, but it helps keep your audit proof organized. If you add pieces of proof that are often reused to a label, you can link that label to multiple controls. By linking the label containing multiple pieces of proof, you don't have to link individual pieces of proof to each control, and changes to proof only have to be made in one place.

  1. From the left menu, select Labels, then click New.

  2. Enter a name for the label, then click Create.

  3. Select the label you just created, then select the Proof tab.

  4. Add proof to the label in one of two ways: Click Add proof or drag-and-drop files onto the proof grid.

  5. Repeat steps 1 - 4 as necessary.

When your labels are complete and contain proof, you are ready to link them to the appropriate controls. See Linking a label to a control.

Step 2: Gap assessment and remediation

Conducting a gap assessment

You and your auditor review controls to understand the organization’s current compliance status. This is done via the SOC 2 program, typically created by the auditor.

  1. From the left menu, select Programs, then select your SOC 2 program.

  2. Select the Controls tab to view all of the controls in your SOC 2 program.

  3. Review each control to determine if your organization is compliant and has the necessary proof.

Assigning control owners

Assign ownership of controls to people in your organization. Owners are responsible

for ensuring that all relevant proof is linked and that the control is healthy.

  1. From the left menu, select Programs, then select your SOC 2 program.

  2. Select the Controls tab, then click the Grid view icon.

  3. Bulk edit controls per owner by selecting the check boxes for the controls you want to assign.

  4. Click the Owner link at the top of the list.

  5. Select the owner and click Review.

  6. Click Confirm.

Linking proof

Upload proof using Hypersyncs, tasks, or manually. You can also choose to link labels to the control. These labels can either belong to one or many audit requests. If you have questions and need to collaborate with the auditor, you can do so via the request’s Activity Feed.

  1. From the left menu, select Programs, then select your SOC 2 program.

  2. Select the Controls tab.

  3. Select a control, and then do one of the following:

    1. Click the Automations tab and add a Hypersync to collect proof on the control. See Hypersync overview.

    2. Click the Task icon to link proof via a task. Click New Task, and then create the task requesting proof from the appropriate team member. Proof can be linked after the task is created. See Creating a task.

    3. Select the Proof tab to manually link proof. See Uploading proof manually.

    4. If using labels, select the Labels tab, and then click Add labels. See Linking a label to a control.

Setting control health

Control health shows whether implementation, testing, freshness, and proof are complete, and healthy controls lead to a healthy program. See Editing controls.

  1. From the left menu, select Programs, then select your SOC 2 program

  2. Select the Controls tab and click the Grid view icon.

  3. Bulk edit controls by selecting the check boxes for the controls whose health you want to set.

  4. Click the Implementation link to update the implementation status.

  5. Click the Testing status link to update testing status.

  6. Click ... (More options), then select Mark fresh to mark the controls as fresh.

  7. Click ... (More options), then select Freshness settings to set the freshness.

Documenting gaps

The auditor uses the Notes tab on a control to document any identified gaps.

  1. From the left menu, select Programs, then select your SOC 2 program.

  2. Select the Controls tab, then click the Grid view icon.

  3. Select the control where you want to add the notes.

  4. Select the Notes tab.

  5. Enter your notes. Tip: Hyperproof automatically saves your changes.

Remediating gaps

Review the auditor's noted gaps and update controls as needed by uploading new proof versions.

  1. From the left menu, select Programs, then select your SOC 2 program.

  2. Select the Controls tab, then click the Grid view icon.

  3. Select the control where you want to add the notes.

  4. Select the Notes tab.

  5. Review the auditor's notes.

  6. Update the controls accordingly.

Step 3: Conducting a SOC 2 Type 1 Audit

To begin your audit, engage an external auditor. The external auditor sends you a Document Request List (DLR) that they will use as the basis for the audit. See Creating an audit and importing a request list.

Creating the audit in Hyperproof

The auditor creates a new audit in Hyperproof and titles it. The title might be [YEAR] SOC 2 Type 1.

  1. From the left menu, select Audits, and then click New.

  2. Enter a name for the audit.

  3. Click Create.

  4. On the import window, click Skip.

Formatting the DLR as a CSV

To use the DLR sent to you by the external auditor, it must be in CSV format so it can be imported into Hyperproof when you create your audit.

  1. From the left menu, select Audits, then select your audit.

  2. Select the Requests tab.

  3. Click Import.

  4. Download the CSV template and update it with your requests. Be sure

    to structure requests in the required format with the desired proof in the

    descriptions and links to controls in the Control ID field.

Collecting and linking proof to requests

When you start collecting and linking proof to a request, change the request status to indicate you have started working on it. Link the necessary proof to each request. If you choose to use labels, those must also be linked to requests. Once proof has been linked to a request, change the request status to Submitted. See Linking proof to a request.

  1. From the left menu, select Audits, then select your audit.

  2. Select the Requests tab.

  3. Assign requests manually or by bulk editing.

  4. Change the request status to In Progress (this can also be done by bulk editing).

  5. Link proof to the requests manually or via an existing task. If using labels, click Link label to link a label to the request.

  6. After proof is linked, change the request status from In Progress to Submitted.

Exporting the audit and delivering it to the external auditor

You or your internal auditor can export the audit, download the ZIP file, and securely transfer it to the external auditor. Note that you can also invite your external auditor to Hyperproof, where they can log in to review requests and proof. See External auditors in Hyperproof and Documentation for external auditors.

To export audit information:

  1. From the left menu, select Audits.

  2. Select your audit.

  3. Select ... (More Options), then click Export audit.

Reviewing and submitting follow-up actions

Once you have submitted all of your audit requests to the external auditor, they review the audit and determine if all of the requests have been addressed.

Reviewing follow-up actions

If all requests have been satisfied, your internal auditor moves on to the next steps.

If any requests remain unsatisfied, your internal auditor updates the Document Request List, ensures the linked proof is satisfactory, re-exports the updated audit, and then delivers it to the external auditor for another review.

Producing the SOC 2 Type 1 report

Once the external auditor has approved all requests in your audit, they produce a Type 1 report outside of Hyperproof.

Conducting a postmortem on your audit

You and your internal auditor meet to determine what succeeded, what failed, and what should be repeated in future audits.

Closing the audit in Hyperproof

Your internal auditor changes the audit status to Completed.

  1. From the left menu, select Audits, then select your audit.

  2. Select the Details tab.

  3. Change the status from Active to Completed.

Did this answer your question?