SOC 2 Type 2 Audit: What to Expect and How to Prepare
Preparing for a SOC 2 Type 2 audit? Learn the Trust Services Criteria, readiness assessment, evidence collection, and how to choose the right auditor.
SOC 2 Type 2 Audit: What to Expect and How to Prepare
A SOC 2 Type 2 report is the de facto trust credential for B2B SaaS companies. Prospects expect it, enterprise procurement teams require it, and security questionnaires ask for it repeatedly. Unlike a Type 1 report — which is a point-in-time snapshot — a Type 2 report covers a sustained observation period, typically 6 to 12 months, demonstrating that your controls were not just designed correctly but were operating effectively over time.
Getting through a SOC 2 Type 2 audit without surprises requires preparation that starts well before the auditor arrives.
Understanding the Trust Services Criteria
AICPA's Trust Services Criteria (TSC) are the control framework underlying SOC 2. There are five categories:
Security (CC series) — Required for every SOC 2 report. Covers logical access, change management, risk assessment, incident response, and monitoring. This is the "Common Criteria" that forms the foundation.
Availability (A series) — Required if uptime commitments are part of your service. Covers monitoring, backup, recovery, and capacity management.
Processing Integrity (PI series) — Relevant for data processing services. Ensures that processing is complete, accurate, timely, and authorized.
Confidentiality (C series) — Covers identification, handling, and disposal of confidential information. Often relevant when you handle customer data that is marked confidential.
Privacy (P series) — Covers the full AICPA privacy framework, including notice, consent, collection limitation, and data quality. More extensive than the GDPR or CCPA alignment work most companies have done.
Most SaaS companies start with Security only, then add Availability if their SLAs are a differentiator.
The Readiness Assessment
Before engaging your audit firm, run a readiness assessment. This can be done internally or with a third-party consultant. The goal is to identify gaps between your current controls and what the TSC requires, so you can remediate before the audit observation period begins.
A readiness assessment covers:
- Policies and procedures: Do you have documented, approved policies for access control, change management, incident response, vendor management, and risk assessment? Are they reviewed annually?
- Access controls: Is access to production systems restricted to least privilege? Is MFA enforced? Are access reviews performed?
- Change management: Is there a documented SDLC? Are changes reviewed and approved before deployment? Are emergency changes tracked?
- Monitoring and alerting: Are security events logged? Are logs retained for at least 12 months? Are alerts investigated and documented?
- Vendor management: Do you maintain a vendor inventory? Are third-party processors reviewed for SOC 2 or equivalent compliance?
The output of a readiness assessment is a gap report with remediation owners and timelines. Budget at least 60–90 days to close gaps before starting your observation period.
Starting the Observation Period
The audit observation period is when your controls are actually being tested. For a Type 2 report, the minimum observation period is six months. Most companies use six months for their first audit and extend to twelve months for renewals to give customers a longer window of assurance.
During this period, your auditor will periodically request evidence. The key is to ensure your controls are actually running — not just documented. Common failures:
- Access reviews were planned quarterly but only one review was completed during a six-month period
- Vulnerability scans were scheduled monthly but findings were not remediated within the defined SLA
- Security training was assigned but completion rates were not tracked
- Logs were enabled but the SIEM alerts were never actually reviewed
The auditor tests the operating effectiveness of controls by sampling evidence. For a six-month period, expect sample sizes of 25–60 items per control depending on frequency.
Evidence Collection: What Auditors Ask For
Evidence falls into a few categories. Building your evidence collection process before the audit period saves significant time.
Screenshots and exports: Access lists from your identity provider, MFA enrollment reports, firewall configurations, vulnerability scan results, penetration test reports.
Tickets and records: Change management tickets showing approvals, incident response records, access request and approval records, termination checklists.
Policies: Current, signed, and dated versions of all required policies with evidence of annual review.
Vendor documentation: SOC 2 reports or equivalent for your critical subprocessors (AWS, Stripe, Salesforce, etc.). These should be dated within the observation period.
Training records: Completion reports for security awareness training with dates.
A common best practice is to maintain an evidence folder in a shared drive, organized by TSC criterion number. When your auditor sends a request list (called a PBC — Prepared By Client list), you can fulfill it quickly rather than scrambling.
Selecting the Right Auditor
SOC 2 audits must be performed by a licensed CPA firm. Beyond that requirement, selection criteria matter:
Industry specialization: Auditors who primarily work with SaaS companies understand cloud-native architectures, CI/CD pipelines, and IaC. They will not ask you to produce evidence in formats that do not apply to your stack.
Turnaround time: Some firms have backlogs. Ask specifically how long from end of field work to draft report delivery. Six weeks is typical; twelve weeks is too long if you are trying to include the report in an active sales process.
Ongoing relationship: A firm that does your Type 2 annually will build institutional knowledge of your environment. The first year audit is always the hardest; subsequent years are faster.
Price: Audit fees for a small SaaS company start around $15,000–$20,000 for a first-year Security-only engagement. Larger scope, multiple criteria, or Big Four firms can push costs to $60,000+.
Compliance automation platforms (like Vanta, Drata, or Secureframe) can reduce audit prep costs significantly by collecting evidence continuously. Many have preferred auditor relationships and discounted rates.
What the Report Looks Like
A SOC 2 Type 2 report has four sections:
- Management's description of the system — what your product does, the boundaries of the system, and your control environment
- Management's assertion — a signed statement that the description is accurate
- Auditor's opinion — the CPA firm's independent opinion on whether controls were designed and operating effectively
- Description of tests and results — the detailed control-by-control test results, including any exceptions
Exceptions are common in first-year audits. An exception is noted when the auditor finds that a control did not operate as described for one or more samples. Exceptions do not automatically mean a qualified (negative) opinion — the auditor evaluates materiality. But exceptions do generate conversations with prospects, so it is worth understanding each one and having a clear remediation narrative.
After the Audit
The report is typically valid for 12 months from the end of the observation period. Maintain your controls throughout the year — do not let access reviews or vendor reviews lapse between audit cycles. Prospects will ask for your most recent report, and a report that covers a period ending 14 months ago raises questions.
Plan your next observation period to start before the current one ends, so you always have a fresh report available.