Performing SOC 2 Type II Audit Preparation
Overview
SOC 2 Type II audit preparation involves designing, implementing, and demonstrating the operational effectiveness of controls aligned to the AICPA Trust Services Criteria (TSC) over a defined audit period (typically 6-12 months). Unlike Type I which assesses control design at a point in time, Type II evaluates whether controls operated effectively throughout the entire examination period.
Prerequisites
- Understanding of AICPA Trust Services Criteria (2017, updated 2022)
- Knowledge of internal control frameworks (COSO 2013)
- Familiarity with organizational IT infrastructure and data flows
- Access to GRC (Governance, Risk, Compliance) tooling
Core Concepts
Trust Services Criteria (TSC)
Five categories, with Security (Common Criteria) being mandatory:
| Criteria |
Description |
Required |
| Security (CC) |
Protection against unauthorized access |
Mandatory |
| Availability (A) |
System availability for operation and use |
Optional |
| Processing Integrity (PI) |
System processing is complete, valid, accurate, timely, authorized |
Optional |
| Confidentiality (C) |
Information designated as confidential is protected |
Optional |
| Privacy (P) |
Personal information collected, used, retained, disclosed per notice |
Optional |
Common Criteria (CC Series)
Security is organized into 9 series based on COSO principles:
| Series |
Focus Area |
COSO Principle |
| CC1 |
Control Environment |
Integrity and ethical values |
| CC2 |
Communication and Information |
Quality information for controls |
| CC3 |
Risk Assessment |
Identify and assess risks |
| CC4 |
Monitoring Activities |
Monitor and evaluate controls |
| CC5 |
Control Activities |
Select and develop controls |
| CC6 |
Logical and Physical Access |
Restrict access to authorized users |
| CC7 |
System Operations |
Detect and respond to system anomalies |
| CC8 |
Change Management |
Authorized, tested, approved changes |
| CC9 |
Risk Mitigation |
Risk mitigation through business processes |
Type I vs Type II
| Aspect |
Type I |
Type II |
| Scope |
Control design at a point in time |
Control effectiveness over a period |
| Audit Period |
Single date |
6-12 months (typically 12) |
| Evidence |
Design documentation |
Operating evidence throughout period |
| Assurance |
Lower |
Higher |
| Market Value |
Initial baseline |
Industry standard expectation |
Implementation Steps
Phase 1: Scoping and Readiness (Weeks 1-4)
- Determine which TSC categories to include (Security mandatory, others based on customer needs)
- Define system boundaries and description components:
- Infrastructure (servers, networks, cloud services)
- Software (applications, operating systems)
- People (roles, responsibilities)
- Procedures (automated and manual)
- Data (data flows, classification)
- Select audit firm (CPA firm with SOC experience)
- Define audit window (start and end dates)
- Conduct readiness assessment against selected criteria
Phase 2: Control Design and Implementation (Weeks 5-16)
- Map organizational controls to TSC criteria
- Design controls for each applicable criterion:
-
CC6.1: Logical access security (SSO, MFA, RBAC)
-
CC6.2: System credential management
-
CC6.3: Access removal upon termination
-
CC7.1: Intrusion detection and monitoring
-
CC7.2: Security incident response
-
CC8.1: Change management process
- Implement technical controls:
- Identity provider (Okta, Azure AD)
- Endpoint detection and response
- SIEM for log aggregation
- Vulnerability scanning
- Encryption at rest and in transit
- Implement administrative controls:
- Security policies and procedures
- Background check process
- Security awareness training
- Vendor management programme
- Document all controls with:
- Control objective
- Control activity description
- Frequency (continuous, daily, weekly, quarterly, annual)
- Control owner
- Evidence type (screenshot, report, ticket, log)
Phase 3: Evidence Collection Period (Audit Window)
- Operate controls consistently throughout the audit period
- Collect and organize evidence:
- Access review completion records (quarterly)
- Change management tickets and approvals
- Incident response logs
- Vulnerability scan reports
- Penetration test results
- Training completion records
- Backup verification logs
- System availability reports
- Maintain evidence repository with clear naming conventions
- Track control failures and exceptions
- Implement remediation for any control gaps identified during the period
Phase 4: Pre-Audit Preparation (Weeks before audit)
- Perform internal control testing (walkthroughs)
- Prepare system description document
- Organize evidence by TSC criterion
- Brief control owners on audit process
- Prepare management assertion letter
- Identify and remediate any last-minute gaps
Phase 5: Audit Execution
- Auditor performs inquiry, observation, inspection, and reperformance
- Provide requested evidence and access
- Respond to auditor questions and information requests
- Address any exceptions identified during testing
- Review draft report for factual accuracy
Phase 6: Report and Remediation
- Receive SOC 2 Type II report
- Address any qualified opinions or control exceptions
- Distribute report to customers (typically under NDA)
- Plan remediation for identified exceptions
- Begin preparing for next audit cycle
Key Artifacts
- System Description Document
- Control Matrix (TSC mapping)
- Risk Assessment Documentation
- Evidence Repository
- Management Assertion Letter
- SOC 2 Type II Report (Sections I-V)
- Remediation Plan for Exceptions
Common Pitfalls
- Starting evidence collection too late - need full audit period coverage
- Inconsistent control operation (e.g., missing quarterly access reviews)
- Insufficient system description detail
- Not including subservice organizations (IaaS providers)
- Failing to document complementary user entity controls (CUECs)
- Manual controls without documented evidence of execution
References
