SOC 2 Type II Audit: Preparation Checklist

Understanding SOC 2

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA for service organisations that handle customer data. It evaluates an organisation's controls relevant to one or more Trust Services Criteria. Unlike certifications such as ISO 27001, SOC 2 results in an attestation report issued by an independent CPA firm. SOC 2 reports have become a baseline expectation for SaaS providers, data centres, and managed service providers.

Type I vs Type II

Understanding the difference is critical for planning:

• Type I: Evaluates the design and implementation of controls at a specific point in time. It answers: "Are the right controls in place?"
• Type II: Evaluates the design, implementation, and operating effectiveness of controls over a period of time, typically 6 to 12 months. It answers: "Are the controls working consistently?"

Most customers require a Type II report. Some organisations start with a Type I to validate control design before committing to a full observation period.

The Trust Services Criteria

SOC 2 evaluates controls against five Trust Services Criteria (TSC):

• Security (Common Criteria): Required for all engagements. Covers protection against unauthorised access.
• Availability: Addresses system uptime, performance monitoring, and disaster recovery.
• Processing Integrity: Ensures system processing is complete, valid, accurate, and timely.
• Confidentiality: Covers protection of confidential information throughout its lifecycle.
• Privacy: Addresses the collection, use, retention, and disposal of personal information.

Select criteria based on your customers' expectations and the services you provide.

Readiness Assessment

Before engaging an auditor, conduct a readiness assessment:

• Map existing controls to the selected Trust Services Criteria
• Identify gaps where controls are missing or inconsistently applied
• Review control descriptions for accuracy and completeness
• Test critical controls internally to verify they operate as designed
• Remediate identified gaps before the observation period begins

Evidence Collection Strategy

SOC 2 auditors require evidence demonstrating controls operated effectively throughout the observation period. Prepare by:

• Implementing centralised logging and monitoring systems
• Maintaining records of access reviews, change approvals, and incident responses
• Documenting employee onboarding and offboarding with timestamps
• Keeping vulnerability scanning and penetration testing evidence
• Retaining training completion records and policy acknowledgements
• Automating evidence collection where possible using compliance tools

Preparation Checklist

Verify readiness with this checklist:

• Information security policies are approved and distributed
• Risk assessment has been conducted within the past 12 months
• Access reviews are performed and documented quarterly
• Change management process is followed consistently with approval evidence
• Vulnerability scans are conducted at least quarterly
• Incident response plan is documented and tested
• Vendor management programme includes security assessments
• Employee security awareness training is completed annually

Select a CPA firm experienced in SOC 2 engagements, establish a clear timeline, and communicate openly about known issues. A well-prepared SOC 2 Type II audit builds customer trust and strengthens your security posture. Start preparation at least six months before your desired report date.