I'm currently facing a challenge during our SOC 2 renewal process. The auditor is demanding evidence for various actions and processes, including access reviews, onboarding, and offboarding, but here's the kicker: we have no recorded evidence of any of this. The person responsible for security left our team about six months ago, and unfortunately, they didn't document or store any relevant information. Now, my leadership is asking me to somehow 'recreate' the records from last year, which feels impossible. I'm looking for advice on how to handle this situation effectively and what steps I can take to address this problem without compromising integrity.
5 Answers
Honestly, you can't recreate this evidence. If you try, it's likely to lead to audit failure unless exceptions can be made. Make sure you communicate this to your leadership clearly. They need to understand the reality of the situation.
I’d suggest starting to work on well-documented processes like POAMs and SOPs. Get leadership to sign off on them, and present those to the auditor. It will show you're on top of things moving forward, even if past records are lacking.
It's crucial to be honest with the auditor. If there are no records, there are no records. They can't expect you to just pull something out of thin air. You might want to consider taking steps to ensure that this doesn't happen in future audits—like implementing better logging systems or regular reviews.
The key here is to gather whatever evidence you can. Do you have any helpdesk tickets for onboarding? Those could serve as a starting point. And remember, you shouldn't lie or fabricate evidence because that could have serious repercussions down the line.
It's really concerning that your leadership is asking you to recreate documents without any basis. I recommend getting clarification in writing. If they are suggesting you forge records to prevent a failed audit, you should absolutely refuse that request. It might also be wise to involve a compliance officer if you have one.
Sounds like you're the de facto compliance person now. That's a lot of pressure!
What would those exceptions even look like? How far can we push back? I’m overwhelmed with all this responsibility.