SOC 2 Audit (Type I & II)

Overview

The report your customers keep asking for.

SOC 2 has become the default assurance request from enterprise customers and partners. It demonstrates that your controls over security and the other Trust Services Criteria are designed and operating effectively.

We assess your environment against the criteria relevant to your service, test the supporting controls over the reporting period, and produce a report that satisfies the due-diligence teams reviewing you.

What’s covered

The areas this audit examines.

Security (Common Criteria)

The baseline control set every SOC 2 includes.

Availability

Uptime, resilience and capacity commitments.

Confidentiality

Protection of information designated confidential.

Processing integrity

Complete, accurate and timely processing.

Privacy

Handling of personal information against your notice.

Control testing & evidence

Sampling control operation across the period.

Who needs this

Could this be what you need?

Common situations where this engagement makes sense.

SaaS & cloud providersEnterprise customers demand SOC 2.

Data processors & BPOsHandling client data.

Fintech & healthtechHigh-trust services.

Managed service providersOutsourced operations.

Startups selling to enterpriseUnblocking procurement.

Service orgs holding client dataContractual assurance.

Regulatory drivers

Why this is required

SOC 2 is driven by professional attestation standards and customer contracts rather than statute, but for SaaS and service providers it has become a procurement gate that independently demonstrates your controls operate effectively.

AICPA SSAE 18 / Trust Services Criteria

SOC 2 is performed under AICPA attestation standards against the Trust Services Criteria you select.

Customer contracts & MSAs

Enterprise clients frequently require a current SOC 2 report as a condition of doing business.

Vendor-risk & procurement

SOC 2 is increasingly the baseline assurance expected in third-party risk programmes.

How we work

A proven, methodical approach.

A staged approach built to deliver a defensible outcome.

Scoping & TSC selection

Selecting the Trust Services Criteria and reporting period in scope.

Readiness & gap review

An optional pre-audit pass to fix gaps before the examination.

Control & evidence mapping

Mapping controls to the criteria and agreeing evidence needs.

Testing of operating effectiveness

Sampling and testing controls across the period (Type II).

Exceptions & management response

Documenting exceptions with your management responses.

Report issuance

Issuing the SOC 2 Type I or Type II report.

What you receive

Documentation built for every audience.

SOC 2 report (Type I/II)A formal report you can share with customers.
Control-to-TSC matrixYour controls mapped to each Trust Services Criterion.
Exceptions registerAny exceptions with management responses.
Management letterObservations and recommendations for improvement.
Corrective action planAgreed actions to address findings.

Standards & frameworks

The work is mapped to the standards and rules that apply to you.

SOC 2 TSCAICPA SSAECOSOISO 27001 (mapping)

FAQ

Common questions

What’s the difference between Type I and Type II?

Type I assesses control design at a point in time; Type II tests operating effectiveness over a period — typically three to twelve months — which is what most customers ultimately want.

How long is the observation period?

For a first Type II report the observation period is commonly three to six months, which keeps the initial timeline manageable while still demonstrating that controls operate over time. Subsequent annual reports usually cover a full twelve months so there are no gaps in coverage for your customers. We help you choose a period that satisfies your clients without delaying the report unnecessarily.

Can you map SOC 2 to ISO 27001?

Yes. SOC 2 and ISO 27001 overlap substantially in their control objectives, so where you hold or are pursuing one, much of the work carries across to the other. We plan a combined approach, map the shared controls once and reuse evidence across both — which avoids duplicated effort and audit fatigue.

Is SOC 2 a certification?

No — SOC 2 is an attestation report issued by a licensed CPA firm, not a certification with a pass/fail badge. The report describes your controls and the auditor’s opinion on their design and, for Type II, their operating effectiveness. We provide the readiness and assessment support and coordinate the formal examination with the CPA firm.

How many criteria must we include?

Security, known as the Common Criteria, is mandatory in every SOC 2 report. You then add any of Availability, Confidentiality, Processing Integrity and Privacy based on what your customers care about and the commitments you make to them. We help you choose a scope that satisfies client demand without testing more than you need.

How long until we have a report?

A Type I report can be completed in a few weeks once your controls are in place. A Type II report takes longer because it covers an observation period — commonly three to twelve months — followed by the auditor’s testing and reporting. A readiness review first keeps the whole timeline predictable.

SOC 2 (SSAE 21)