Frequently asked questions about our audit approach in Vanta
Vanta Velocity: FAQs
What should I put as my audit period?
For Type 2 engagements, you will select an audit period that the SOC 2 report covers. You can choose whatever period best meets your goals, between 3-12 months total.
We recommend this commences from either a date you are comfortable you comply with the criteria (first time reports), the previous Type 1 report date, or the end of the last Type 2 period. This provides continuous coverage for your enterprise customers and is the standard industry expectation. Annual Type 2 reports becomes the norm after your first Type 2 report.
When does AssuranceLab start the audit?
If it's your first audit with us - we will start the audit when you tell us you are ready. It's recommended to be 100% complete (at least 90%) implementing the controls in Vanta, so we can complete the full audit in one go and best leverage the AI-review functionality. Let us know if you are stuck on any areas, or need to commence the audit before full implementation is complete based on timing.
How long does the audit take?
We're working to an SLA of completing your audit and reporting in a 2-4 week timeframe. This is dependent on whether you've completed all items, the quality of evidence provided, and your team providing timely responses to any audit queries we have. Our AI audit offering fast-tracks the audit results and provides greater insight to assist with clearer audit queries and marking off the controls.
What if some of the controls are not applicable or different in our context?
We have devised meaningful but generic control descriptions that are flexible to various ways you might actually operate the controls. If you do come across controls you believe are not applicable, or that do not accurately reflect how you operate, it's best to add a note to the controls for our audit team so that we can best navigate that without as much back and forth.
What are examples of where the controls may vary?
A common example we see in our startup clients, is that they don't have a Board of Directors. The same type of governance and oversight is expected and required to meet the criteria, but it may instead be performed by your senior management team, or founders. We also see our clients have varying ways of defining incidents, the scope of third-party vendors they monitor, or how they assess and manage risks. These types of variances generally do not require adjusting the controls as the purpose of the control is still satisfied in each case despite the variations.
Do I need to have performed all controls before a Type 1 report?
For a Type 1 report, there is some flexibility in the timing of when controls are performed. This is particularly relevant for DR/BCP testing, and penetration testing that can be costly and time-consuming exercises. A Type 1 report can be achieved by proving you have plans in place for those, before they are actually conducted. For a BCP/DR test that should include proving its been scheduled, and for a penetration test an executed statement of work that shows the scope, timing and approach agreed with a third-party provider. Other common examples we see are with new joiner and exit checklists, new incident management tracking and employee performance reviews; where they may have new processes setup with templates and control designs, that haven't been conducted yet.
How do we address failing auto-tests?
It's best to investigate and resolve the cause of the failure in Vanta that has guidance for each automated test. In some cases you may find the failure to be appropriate based on the context or nature of your environment. You can adjust the scope of the auto-tests to align to your reporting scope. For example, you may have databases that are public, without encryption, where they do not hold any sensitive data. These can be excluded from the tests with commentary added accordingly. This may apply to databases, users access, employees, for whatever circumstances apply - please capture comments accordingly so we can review those when we're assessing the respective controls.
I use a third-party to manage my infrastructure. How does this impact the audit and the evidence I need to provide?
Our audit procedures typically only cover the controls you own or are involved in managing. Where you rely on a third-party to manage your infrastructure, like full service database-as-a-service platforms, we will reference those as sub-service organisation controls. There's no additional evidence required from you unless you have a direct responsibility in managing those controls.
I've added Privacy trust services criteria to my scope. How do I understand some of the terms used in Privacy?
The Privacy trust services criteria refers to specific terms that can be confusing the first time around. Here are some helpful definitions. When in doubt, reach out to your audit team for additional support.
- Data controller: An entity that (alone or jointly with others) determines the purposes for and the means by which personal data is processed. So, if your company/organisation decides ‘why’ and ‘how’ the personal data should be processed it is the data controller.
- Data processor: An entity that processes personal data at the direction of a data controller. In many cases, a service organization may process personal data for its business-to-business (B2B) customers (user entities), which in turn may function as data controllers. In other cases, a service organization may function as a data controller, depending on the facts and circumstances.
- Data subject: The individual about whom personal information is collected.
- Example:
A private company provides software to process healthcare data for patient assessments. Using the software, the company provides tracking and reporting to their healthcare provider customers.
The company’s sole purpose in processing healthcare data is to provide this service to the healthcare providers. The providers set the purpose – to process data for assessments and reporting. The company does not determine the purposes of the processing, it merely provides the processing service. This company is likely to be a processor. The healthcare provider is the data controller. The healthcare provider's patients are the data subjects.
How do I know which policies to prioritise finalising for the audit?
This varies based on which specific policies you document the procedures, requirements or topics in. The policies we typically expect to see includes:
- Code of Conduct
- Access Control Policy
- Asset Management Policy
- Operations Security Policy
- Incident Response Plan
- Information Security Policy (AUP)
- Human Resource Security Policy
- Risk Assessment Policy
- Third-Party Management Policy
- Data Management Policy
- Business Continuity and Disaster Recovery Plan
- Secure Development Policy
How are the AI Audits impacting the continuous audit model?
As of 2024, our continuous audit model has continued to evolve with the introduction of our AI audits, now becoming the preferred method for conducting continuous audit practices.