Documentation of security controls means very little, yes having a framework with a suite of policies and procedures is important. But a proper SOC 2 review is all about actually seeing it in place.
We do a deep dive, where we understand all of the security controls, we then test the design of these security controls through reviewing security configurations within the systems themselves. Then testing the effectiveness of these controls.
So yes, we review documentation and then perform an independent review of the security measures/controls in place. For instance, understanding how batch processes are configured, then testing that the appropriate security controls in relation to batch processes operated effectively.
We do a deep dive, where we understand all of the security controls, we then test the design of these security controls through reviewing security configurations within the systems themselves. Then testing the effectiveness of these controls.
So yes, we review documentation and then perform an independent review of the security measures/controls in place. For instance, understanding how batch processes are configured, then testing that the appropriate security controls in relation to batch processes operated effectively.