I'm nearing the end of my second year with compliance audits for SOC 2 Type 2, and I just received a bunch of additional evidence requests from the auditors. While I understand this is part of the process, I'm finding some of their requests to be really vague or unrelated to what they originally asked for. For instance, they wanted to see the actual password settings used in our systems. We fully utilize Entra and all our third-party apps are linked through SSO, so I thought it made sense to direct them to the default Entra password policy since we haven't customized it. However, the auditors then followed up asking for documentation on SSH public key authentication, which seems a bit out of place to me. I provided screenshots of our SSH configuration and relevant settings, but I'm unsure if that will meet their needs. Is this normal? Am I missing something, or do the auditors just not get it? I've been in this field for over 20 years, but this direct interaction with auditors is new to me.
2 Answers
Yeah, it’s pretty common for auditors to ask vague questions. They focus more on compliance than on specific technical setups, which can lead to misunderstandings. It’s smart to request specific evidence so everyone’s on the same page. They usually appreciate when you take the initiative to clarify the requirements.
It’s tough dealing with auditors since they often don’t have a tech background. It sounds like you’re on the right track by asking them for clarification on what they need. If you can, reach out to see what worked for others in your industry. Building a good relationship with them can help clarify requests and ease the process.
That makes sense! I think staying polite and willing to explain your processes is key. I like your idea of attaching a sample and seeking confirmation to avoid wasting time. It’s always better to clarify than to make assumptions!