How to Prepare for a SOC 2 Audit: The Practitioner's Roadmap

SOC 2 is not a certification you apply for — it is an attestation issued by a licensed CPA firm after examining whether your controls operate effectively over time. The distinction matters: there is no pass/fail checkbox, no self-certification, and no shortcut that avoids the observation period.

First-time Type II examinations typically require 9-15 months from decision to report. Organizations that attempt to compress this below 6 months almost always receive qualified opinions or face costly re-examinations. The timeline breaks into five phases: assessment (1-2 months), remediation (2-5 months), observation period (3-6 months), examination fieldwork (4-6 weeks), and report issuance (2-4 weeks).

The single most common preparation mistake is starting the observation period before controls are mature. The observation clock should not begin until every in-scope control has been operating consistently for at least 30 days. Starting early guarantees exceptions — instances where controls did not operate as designed — and exceptions are what turn unqualified opinions into qualified ones.

Before spending money on auditors or compliance platforms, you need to know the scope of work. A gap assessment compares your current controls against the AICPA Trust Service Criteria to identify what is missing, weak, or undocumented.

You have two options. A self-assessment costs nothing but carries an inherent bias: organizations consistently overestimate their control maturity by 20-30%. A professional readiness assessment, performed by a CPA firm, costs $3,000-$15,000 but applies auditor-grade scrutiny. For organizations new to SOC 2, the professional assessment catches gaps self-assessment misses — particularly in governance and organizational controls (CC1-CC5) that technical teams routinely underestimate.

During this phase, you also define your TSC scope. Security (Common Criteria CC1-CC9) is mandatory for every SOC 2 examination. The four optional criteria — Availability, Confidentiality, Processing Integrity, and Privacy — should be included only when your service commitments require them. Each additional criterion adds $2,000-$5,000 to audit costs and weeks of preparation. The most common combination for SaaS companies is Security plus Availability.

Want to see where your controls stand right now? Take the free SOC 2 gap assessment to get a weighted readiness score, top gap areas, and cost estimates before engaging an auditor.

Remediation is where the real work happens, and it is rarely a pure IT project. Approximately 50% of SOC 2 controls cover governance, risk management, policies, and operational processes — not technical configurations. A company with perfect encryption but no formal onboarding process, risk assessment methodology, or board oversight of security will fail the examination.

Prioritize gaps by audit materiality, not ease of implementation. The most common gap areas auditors find are:

• Access controls (CC6): Excessive privileges, no quarterly access reviews, delayed deprovisioning of terminated employees, inconsistent MFA enforcement. This is the most frequently cited deficiency across all SOC 2 examinations.
• Stale or template-based policies (CC1): Policies downloaded from the internet, customized only in the header, and never reviewed. Auditors ask for evidence that policies are actually followed — approval logs, review records, training completion rates.
• Change management (CC8): The same person who writes code also reviews, approves, and deploys it. No segregation of duties, no documented testing before deployment.
• Incident response (CC7): Plans exist on paper but have never been tested through tabletop exercises. The absence of documented incidents may mean incidents are not being detected.

Foundational gaps in governance (CC1-CC5) should be addressed before technical controls. Auditors expect the governance framework to exist before evaluating whether technical implementations are effective.

SOC 2 examinations must be performed by a licensed CPA firm. Auditor selection directly affects your experience, timeline, and outcome.

Key selection criteria: (1) AICPA membership and state licensing, (2) prior SOC 2 experience with companies of your size and tech stack, (3) evidence collection approach — firms integrated with compliance platforms (Vanta, Drata, Secureframe) reduce friction, (4) references from similar companies, and (5) cost transparency.

Big 4 firms charge $100,000+ and are impractical for companies under 500 employees. Mid-tier and boutique firms ($15,000-$50,000) are the standard choice. Some firms offer bundled readiness assessment plus audit packages, which provides continuity — the same team that assesses your gaps later examines your controls. The tradeoff: if the same firm performs both readiness and examination, AICPA independence rules limit how much remediation guidance they can provide.

The decision between Type I and Type II matters here. Type I evaluates control design at a point in time ($5,000-$20,000, completed in weeks). Type II evaluates both design and operating effectiveness over a 3-12 month observation period ($20,000-$70,000). Most practitioners now recommend skipping Type I entirely and going directly to Type II if controls have been operating for 3+ months. Enterprise customers increasingly reject Type I reports.

The observation period is the window during which your controls must operate consistently. For first-time Type II examinations, this is typically 3-6 months. Renewal audits typically cover 12 months.

During this period, you cannot retroactively create evidence. Every access review, vulnerability scan, incident response test, change approval, and policy acknowledgment must be documented as it happens. This is why compliance automation platforms (Vanta, Drata, Secureframe, Sprinto) have become standard — they continuously collect evidence via API integrations with your cloud providers, identity systems, HR platforms, and code repositories.

The manual alternative — screenshots, spreadsheet logs, email approvals — is workable but labor-intensive. A single missed quarterly access review or lapsed vulnerability scan creates an exception that appears in your report. Evidence must be timestamped and contextual: a screenshot without a visible date or system URL is rejected by auditors.

Leave 1-2 weeks between the observation period end date and audit fieldwork start date. This buffer prevents last-minute evidence collection scrambles.

During fieldwork (4-6 weeks), the auditor reviews your evidence, conducts walkthroughs of key processes, interviews personnel, and tests control operation. The examination produces one of four outcomes: an unqualified opinion (controls met criteria — this is the goal), a qualified opinion (mostly good with noted exceptions), an adverse opinion (significant deficiencies), or a disclaimer (insufficient evidence to form an opinion).

The final SOC 2 report is typically 50-100+ pages and includes the auditor's opinion, management's assertion, a detailed system description, and — for Type II — control descriptions, test procedures, and results including any exceptions. The report is restricted use: it cannot be posted publicly. Share it under NDA, through a secure data room, or via a trust center platform.

For public trust signals, obtain a SOC 3 report simultaneously. SOC 3 covers the same scope as SOC 2 but is designed for general public use — shorter, no detailed test results, and can be posted on your website. The incremental cost for SOC 3 alongside SOC 2 is minimal.

After receiving your report, the cycle continues. SOC 2 reports are conventionally valid for 12 months. Enterprise customers expect annual renewal. Budget $30,000-$60,000 per year ongoing for the compliance platform plus audit renewal fees.