SOC 2 Type II Certification Guide: Preparation, Evidence Collection, and Audit Readiness

Understanding the distinction between Type I and Type II is essential for setting customer and stakeholder expectations correctly.

SOC 2 Type I evaluates whether controls are suitably designed at a specific point in time. An auditor reviews your control documentation, configuration evidence, and policies as of the report date and opines on whether the design is adequate to meet the applicable Trust Services Criteria. Type I does not evaluate whether controls were actually performed consistently over time.

SOC 2 Type II evaluates both the design adequacy and the operating effectiveness of controls over an observation period. The auditor reviews evidence that each control was performed consistently throughout the period: access reviews were conducted monthly, vulnerability scans ran weekly, change management records exist for every significant change, penetration tests were performed within the required window. Type II requires a minimum 6-month observation period; most organizations use 12 months for the annual renewal cycle.

Which report to pursue first: Type I serves as a readiness milestone and can be issued 4 to 8 weeks after completing a gap assessment and implementing missing controls. It signals to customers that controls are in place, even if operational history has not yet accumulated. Organizations are typically advised to pursue Type I first while running through their first Type II observation period. Some enterprise customers accept Type I initially but require Type II within 12 to 18 months.

What Type II does not cover: SOC 2 reports describe the controls of a service organization relevant to the security of customer data, not the security of the organization overall. Internal systems outside the scope definition are not evaluated. The scope is a critical decision: scoping too broadly increases audit complexity and cost; scoping too narrowly may not satisfy customer requirements. Common scope decisions: include production infrastructure and customer data processing systems; exclude internal corporate systems, HR systems, and non-production environments.

SOC 2 reports are organized around the AICPA Trust Services Criteria. Security (Common Criteria, CC) is required in every SOC 2 report. The other four are optional and selected based on customer requirements and the nature of the service.

Security (Common Criteria, CC): The Security criteria contain 33 Common Criteria (CC1 through CC9) covering: the control environment (CC1, organizational oversight and accountability), communication and information (CC2), risk assessment (CC3), monitoring of controls (CC4), control activities (CC5, logical and physical access controls), logical and physical access controls (CC6), system operations (CC7), change management (CC8), and risk mitigation (CC9). CC6 and CC7 generate the most evidence requests and most common findings; they cover authentication, access provisioning and review, vulnerability management, and incident detection.

Availability (A): Addresses whether the system is available for operation and use as committed. Relevant if your customers rely on your service for critical operations and availability SLAs are material to your contract commitments. Evidence includes uptime monitoring records, incident records, capacity planning documentation, and disaster recovery test results.

Processing Integrity (PI): Addresses whether system processing is complete, valid, accurate, timely, and authorized. Most relevant for financial processing, payroll, and transaction systems where incorrect processing is a material risk. Evidence includes data validation controls, error handling logs, and reconciliation procedures.

Confidentiality (C): Addresses whether information designated as confidential is protected as committed. Relevant when customers contractually require you to protect their confidential information. Evidence includes data classification policies, encryption configurations, and access controls on confidential data repositories.

Privacy (P): Addresses the collection, use, retention, disclosure, and disposal of personal information in conformity with AICPA privacy principles. Most relevant for organizations handling consumer PII or subject to GDPR or CCPA. Evidence includes privacy notices, consent mechanisms, data subject request processes, and data retention and deletion records.

Choosing which criteria to include: Most SaaS organizations include Security plus Availability, which satisfies the majority of enterprise customer requirements. Adding Confidentiality is appropriate when customer contracts include explicit confidentiality commitments. Processing Integrity is necessary for financial technology and payroll processing. Privacy is increasingly requested as GDPR and CCPA enforcement intensifies.

SOC 2 Type II auditors request evidence that each control operated throughout the observation period. Understanding evidence requirements before the observation period starts lets you build collection workflows rather than scrambling during the audit fieldwork phase.

Access management evidence (CC6.1-CC6.3):

• User access provisioning records showing approval for each new access grant during the period
• Quarterly or semi-annual user access reviews with evidence of completion and remediation of excess access
• Privileged account inventory and access review
• Terminated user offboarding records showing account disabling within the defined SLA
• MFA enrollment records for all user accounts

Vulnerability management evidence (CC7.1):

• Vulnerability scan reports on a defined cadence (weekly for external-facing systems is common)
• Evidence of remediation for critical and high-severity findings within SLA
• Penetration test report from within the audit period
• Patch deployment records for critical patches

Change management evidence (CC8.1):

• Change request records for all significant changes to in-scope systems during the period
• Evidence of testing and approval for each change
• Emergency change records with post-implementation review documentation

Incident management evidence (CC7.3-CC7.5):

• Incident log for all security events during the period
• Evidence of incident response procedure execution for each logged incident
• Post-incident review documentation for significant incidents

Risk assessment evidence (CC3.1-CC3.4):

• Annual risk assessment documentation with date and approver
• Risk register with residual risk ratings
• Evidence that risk assessment results informed control decisions

Practical evidence collection workflow: Build automated evidence collection into your operations from day one of the observation period. Configure your identity provider (Okta, Entra ID) to export monthly access review reports automatically. Schedule vulnerability scan reports to be saved to an audit evidence repository. Create a ticketing workflow that captures change approval records in a format that maps directly to audit requests. Compliance automation platforms (Vanta, Drata, Secureframe) automate this collection by integrating with your tool stack via API.

Qualified opinions and findings in SOC 2 Type II reports are almost always predictable. These are the control areas where auditors most frequently identify deficiencies.

Access review failures: The most common finding. Organizations define a quarterly user access review process in policy but fail to conduct the review on schedule, fail to document completion, or fail to remediate excess access identified during the review. Fix: build access reviews into a ticketing system with mandatory completion dates and assign specific owners. Document every access change made as a result of the review. Auditors want to see evidence that excess access was identified and removed, not just that a list was generated.

Terminated user access: Accounts not disabled within the committed SLA (often 24 to 48 hours after termination). This is frequently caused by HR-IT notification gaps, particularly for contractor and third-party personnel. Fix: automate offboarding triggers from the HR system to your identity provider so accounts are disabled automatically when a termination record is created.

Vendor/third-party risk management: Inadequate documentation of vendor security assessments, missing business associate agreements or data processing addendums, or failure to conduct annual vendor reviews for high-risk vendors. Fix: maintain a vendor risk register with review dates and document the assessment criteria and results for each vendor with access to in-scope systems.

Penetration testing gaps: No penetration test during the observation period, or a test that was conducted but findings were not remediated within the committed timeline. Fix: schedule the penetration test in the first half of the observation period so remediation time exists before the audit fieldwork phase.

Change management documentation: Undocumented changes deployed to production systems, or emergency changes without post-implementation review. Fix: enforce change tickets as a prerequisite for production deployments via CI/CD pipeline gates. Make the change ticket mandatory in the deployment workflow so it cannot be bypassed.

Missing or outdated policies: Policies not reviewed and reapproved within the committed annual review cycle. Fix: schedule annual policy reviews as recurring calendar events with assigned owners. Use a document management system that tracks policy version history and approval dates.

Selecting the right auditor and using compliance automation tools are the two decisions with the greatest impact on audit efficiency and cost.

Choosing a SOC 2 auditor: SOC 2 audits must be conducted by a licensed CPA firm. Selection criteria: experience with technology companies and SaaS specifically (auditors unfamiliar with cloud infrastructure request irrelevant evidence and miss real risks), responsiveness and communication quality during the sales process (predicts audit experience), fixed-fee vs. time-and-materials pricing (fixed-fee protects against scope creep), and references from similar-stage companies. Cost range: $15,000 to $40,000 for a first-year Type II audit for a startup; $40,000 to $100,000+ for larger organizations with complex infrastructure. Larger firms (Deloitte, PwC, Grant Thornton) carry brand recognition but smaller specialized firms (Schellman, Prescient Security, Johanson Group) often provide better service for growth-stage technology companies.

Compliance automation platforms: Automation platforms reduce manual evidence collection burden by 60 to 80 percent through API integrations with your tool stack.

• Vanta: The most widely used platform for SOC 2 in the SaaS market. Integrates with AWS, GCP, Azure, GitHub, Okta, Jira, and 100+ other tools. Automatically collects evidence for configured controls and provides a readiness percentage dashboard. Also supports ISO 27001, HIPAA, PCI DSS, and GDPR. Pricing: approximately $10,000 to $30,000 per year depending on organization size.

• Drata: Strong competitor with similar integration breadth. Notable for its continuous monitoring model that alerts on control failures in real time rather than at audit time. Supports audit evidence room that auditors access directly, reducing back-and-forth.

• Secureframe: Lower price point targeting earlier-stage companies. Supports major compliance frameworks with a simpler interface. Less extensive integration library than Vanta or Drata.

• Tugboat Logic (acquired by OneTrust): Strong policy management and vendor risk management alongside controls automation.

Do you need a compliance automation platform? For organizations with significant tool stack breadth, yes. Manual evidence collection for a first SOC 2 audit involves dozens of hours gathering screenshots, exports, and records from multiple systems. Automation platforms pay for themselves in staff time savings within the first audit cycle and provide continuous monitoring that catches control failures before the auditor does.