How to audit continuous integration/continuous deployment as part of your SOC exam

Does your organization use continuous integration (CI) and continuous deployment (CD)?

If so, you’re likely seeing exciting benefits — shorter development life cycles, automated controls, standardized builds and testing, and faster response times. But what you may not know is that CI/CD impacts your SOC audit.

As part of your SOC exam, your auditor will seek to understand the controls you have in place around CI/CD, especially considering so much of CI/CD is automated.

Which SOC exams does CI/CD impact?

While CI/CD is largely relevant to SOC 2 audits — which report on your internal controls as they relate to the security, availability, processing integrity, confidentiality and/or privacy of customer data — it is most likely to have relevance to SOC 1, SOC2+, SOC for Cybersecurity, etc.

For example, if an application performs a type of financial reporting function or payment processing, and you developed it using CI/CD, that would be relevant to a SOC 1 exam, which reports on the internal controls relevant to your customers’ financial reporting.

How to prepare for a SOC audit

Ideally, you want to have the right controls in place before your SOC exam. For organizations that leverage CI/CD, there are five big considerations to take into account when preparing for a SOC exam:

1. Committing code

When updating code, it’s common to make mistakes or to overlook how the updates interact with existing code. Your SOC auditor will look to see that you have an automated, system-enforced review (i.e., a pull request) in place, where at least one other person is required to review code for mistakes and issues before the code can be merged into the code base.

2. Unique identifiers

When you have system components performing automated functions, it’s important to enable an audit trail. This means understanding and labeling unique identifiers — such as change numbers, build numbers, system accounts, individuals logging in and the changes they’re making, etc. — so those can be tracked throughout the process.

3. Emergency changes

Sometimes, you have an issue that is negatively impacting users and requires an immediate fix. You don’t have time to perform all the regular steps (e.g., having other individuals review the code and taking it through multiple levels of testing). These emergency changes may need to bypass full testing and may be manually deployed.

However, as part of your internal controls, your system should provide a mechanism to monitor any changes that bypass the process in place.

4. Automated alerts

Automated alerts can be a very useful and provide another automated way to demonstrate deployment process control. Even small issues and bugs can spark negative impacts on your customers, so it’s important to review automated deployments to 1) ensure it was planned in the first place and 2) identify and fix any issues that may develop from the changes made.

5. Processes

One of the biggest keys to preparing for a SOC audit is ensuring you’ve developed and documented a uniform and repeatable process around CI/CD.

Creating a process flow diagram can be very helpful, since it will visualize the process — helping management understand the control points and identify gaps, as well as helping your auditor perform the SOC exam.

Wipfli can help

While continuous integration/continuous deployment isn’t going to make your SOC exam more complex, it is important to select an auditor who understands CI/CD and how to test the controls in place. Chances are, if you’re performing CI/CD development, you are working with microservices architecture, and you’re using containers and orchestration software. Because CI/CD is becoming more popular and tools continue to make this type of environment the standard, you want to work with an auditor that understands CI/CD and the underlying infrastructure.

Wipfli brings a thorough understanding of CI/CD and has experience auditing fintech, healthtech and other technology companies. We also perform SOC readiness assessments to review processes and identify gaps before your SOC audit. Click here to learn more.

Sign up to receive additional SOC audit content and information in your inbox, or continue reading on:

• SOC 1 vs SOC 2: What’s the difference?
• 3 risks of going with the low-cost SOC audit provider
• Can SOC audit controls change within the period?
• Blockchain startups, these are three big benefits of a SOC exam