Have you undergone a SSAE 18/SOC 2 audit?
Explanation
Independent attestation is the focus here: assessors want confirmation that your organization has completed a SOC 2 audit conducted under the SSAE 18 attestation framework.
A SOC 2 audit is an independent assessment conducted by a certified public accounting firm that evaluates an organization's controls related to security, availability, processing integrity, confidentiality, and/or privacy. It's designed to provide assurance to customers and partners that your organization has implemented appropriate security controls.
Why it's asked in security assessments:
- It provides third-party validation of your security practices
- It demonstrates your commitment to security and compliance
- It shows you've invested in formal security processes
- It reduces the need for customers to perform their own detailed assessments
The question is important because organizations that handle sensitive data are expected to have formal, validated security controls in place. A SOC 2 audit is one of the most recognized ways to demonstrate this.
When answering this question, you should:
- Be clear about whether you have completed a SOC 2 audit
- Specify which type (Type I or Type II) and which Trust Service Criteria were in scope
- Mention when it was completed and by which auditing firm
- If you haven't completed one, explain any plans to do so or alternative compliance frameworks you follow
Example Responses
Example Response 1
Yes, our organization has undergone a SOC 2 Type II audit Our most recent audit was completed in March 2023 by Ernst & Young, covering all five Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) The audit found no significant exceptions, and we maintain continuous compliance with SOC 2 requirements We can provide the audit report under NDA upon request.
Example Response 2
Yes, we completed our first SOC 2 Type I audit in November 2022 conducted by KPMG This audit covered the Security, Availability, and Confidentiality trust criteria We are currently undergoing our SOC 2 Type II audit, which examines controls over a 12-month period, and expect to receive this certification by December 2023 We can share our current SOC 2 Type I report with prospective customers under NDA.
Example Response 3
No, we have not yet undergone a formal SSAE 18/SOC 2 audit As a growing organization, we have prioritized implementing security controls aligned with SOC 2 requirements and have completed a readiness assessment with a third-party consultant in preparation for a formal audit We have scheduled our first SOC 2 Type I audit to begin in Q3 of this year In the meantime, we follow ISO 27001 principles and can provide documentation of our security controls and practices upon request.
Context
- Tab
- Organization
- Category
- Documentation
Related questions
- Do you have a well-documented business continuity plan (BCP), with a clear owner, that is tested annually?
- Do you have a well-documented disaster recovery plan (DRP), with a clear owner, that is tested annually?
- Do you conform with a specific industry standard security framework (e.g., NIST Cybersecurity Framework, CIS Controls, ISO 27001, etc.)?
- Can you provide overall system and/or application architecture diagrams, including a full description of the data flow for all components of the system?
- Does your organization have a data privacy policy?
- Do you have a documented, and currently implemented, employee onboarding and offboarding policy?

