In the past several years, as SOC 2 reports have increased in popularity, one of the first things prospective clients ask when meeting with me is if there is a checklist of things they can have that will help them prepare for the audit and become SOC 2 compliant. There seems to be a common misconception in the industry that there is a set of controls or actions, like a checklist, that a service organization can complete that will prepare them for a successful SOC 2 audit. Unfortunately, my answer can be quite disappointing as no SOC 2 report is the same, so there is no one-size-fits-all checklist for service organizations to achieve SOC 2 compliance.
Don’t get me wrong, there are SOC 2 compliance checklists out there on the internet that have been created, but it is important to understand that the AICPA has not issued a SOC 2 compliance checklist that contains the requirements for what controls your organization needs to have in place to be SOC 2 compliant. This is important because the AICPA is the governing body that issued the Trust Services Criteria (TSCs), which define the criteria that need to be met to be “SOC 2 compliant”. Because the AICPA has not issued a checklist, all other checklists are just suggestions for meeting the SOC 2 criteria.
This is because the SOC 2 criteria are rather general, and how each service organization satisfies those criteria is up to them and their service auditor. Meaning, most service organizations will need to spend time with their service organizations discussing their service(s) and their control environment to better understand how to meet the SOC 2 criteria, which is typically the last thing people want to hear when they are in a rush to get a SOC 2. But skipping these conversations could lead to common pitfalls and control failures when undergoing a SOC 2 audit that could have been avoided.
Is SOC 2 Compliance Mandatory?
A System and Organization Control 2 (SOC 2) report is an attestation report that organizations provide to their user organizations and stakeholders to demonstrate the controls the organization has in place to secure the system and/or services they provide. If your organization provides a system and/or service to user organizations, then a SOC 2 report could be something your users are requesting of the organization. Being in compliance with the SOC 2 trust services criteria, issued by the AICPA, is not mandatory but rather a barrier to business for service organizations, as many user entities require applicable vendors to have a SOC 2 report.
Many service organizations are asked by prospective or current user organizations for a SOC 2 report, which kicks off the process of the organization becoming SOC 2 compliant. Many user organizations utilize the SOC 2 reports provided by their service organizations for their own internal and external audits to determine that their data is being handled in a secure manner.
What Are The Five Trust Services Criteria?
A SOC 2 report is an attestation report where the management of the service organization asserts that they have controls in place to meet the applicable SOC 2 trust services criteria (TSC). The five trust services criteria are:
One of the first things an organization needs to do when prepping for a SOC 2 report is determining which trust services criteria will be in scope. The only trust services criteria that must be included in a SOC 2 report is the security criteria, also called the common criteria. The other trust services criteria should be included based on the nature of the organization’s system and/or services being covered in the report. In some cases, user entities will request that specific criteria be included; if not, the criteria in scope will be left up to the discretion of management and their auditor.
An organization may determine which criteria are relevant by considering which risks are present as a result of the services/systems provided to its users and selecting which criteria are relevant to address these risks. For example, the processing integrity criteria would likely be applicable to a payroll processing platform but not an organization providing a people management platform. Another example would be the availability criteria being applicable for hosting and colocation providers.
What are the Requirements for SOC 2 Compliance?
As mentioned above, the scope of a SOC 2 report can include one or more of the five trust services criteria. Within each trust service criteria, there are specific criteria or requirements that must be met by the organization in order for it to become SOC 2 compliant. How these are met is up to the organization and its auditor to determine. The AICPA has provided points of focus to consider when trying to meet each criteria, but they are just that – points of focus and not a strict set of requirements.
Because every service organization’s internal control environment is different, its services/systems and the information technology systems supporting them are different; how the in-scope criteria are met can be different for every service organization. The AICPA has not defined a specific list of controls that must be in place to meet the trust services criteria. The controls in place at the organization that are mapped to the SOC 2 criteria are up to the discretion of the organization and service auditor. This can make the process feel daunting when going through the SOC 2 audit process for the first time, which is why a SOC 2 readiness assessment is beneficial.
Many service auditors that specialize in SOC 2 audits will also provide SOC 2 readiness assessments, which are a best practice for SOC 2 audit preparedness. When performing a SOC 2 readiness assessment, service auditors typically have a set of general controls that they expect to see in place at an organization, which can be tailored to the organization and its control environment to meet the applicable trust services criteria.
How Do I Prepare for a SOC 2 Audit?
Since there is no SOC 2 compliance checklist issued by the AICPA for organizations to use when preparing for a SOC 2 audit, a readiness assessment is the next best thing and considered a best practice for SOC 2 audit preparedness. A SOC 2 readiness assessment, or gap analysis, is used by the service auditor to assess an organization’s preparedness for a SOC 2 audit. It also helps to identify any potential control gaps for remediation prior to starting the period or fieldwork for the SOC 2 audit.
Every readiness assessment is different depending on the service auditor completing it, as there is no specific SOC 2 audit checklist or listing of required security controls issued by the AICPA. The purpose of the readiness assessment is for the organization to identify processes and controls that will mitigate the risks relevant to the scope of the SOC 2 report and identify any gaps requiring remediation. This allows the organization to resolve any identified gaps prior to starting their SOC 2 examination and hopefully will result in a surprise-free audit with little to no findings.
Additionally, the readiness assessment will give the organization an idea of the controls and processes that will be covered, questions that will be asked, procedures performed, and the evidence that will be requested by their service auditor when fieldwork for the SOC 2 audit is conducted. The readiness assessment can be considered a practice run or dress rehearsal for the actual SOC 2 audit itself and an important step in an organization’s compliance journey.
By performing a readiness assessment prior to starting the SOC 2 audit fieldwork or period (depending on whether the first report is a Type I or Type II report), the organization will hopefully be set up for success.
Who Can Perform A SOC 2 Audit?
Licensed CPA firms are the only organizations that can issue a SOC report. Service organizations will typically want to select a CPA firm that specializes in information security audits to conduct its SOC 2 audit. That way, there are not only licensed CPAs but also auditors with IT audit experience, typically CISAs and/or CISSPs, on the audit team. When selecting an audit firm, resumes or bios of the personnel that will be working on the report can also be requested to validate their experience and level of expertise.
When selecting an audit firm to perform a SOC 2 audit, cost will also likely be a factor. Pricing for different firms will vary widely when it comes to SOC 2 reports. Many factors go into pricing a SOC 2 report, including the scope of the audit, the number of TSCs being covered, whether infrastructure is hosted in the cloud, by a colocation facility, or in-house, and the size of the organization. Typically, as the scope of the audit and organization grows, so does the cost of the audit.
Additionally, as mentioned previously, performing a readiness assessment prior to undergoing a SOC 2 audit would be beneficial and is typical when preparing for the audit. When selecting an audit firm, organizations should inquire if a readiness assessment is offered by the firm and included in the quote for the SOC 2 report or if that will be an additional fee.
How Long Does it Take to Become SOC 2 Compliant?
How long it will take to become SOC 2 compliant is dependent on several things. Some of these factors include whether the organization is completing a Type I or a Type II report, the resources available to support the audit at the organization, and the results of the readiness assessment.
The difference between a Type I SOC 2 and a Type II SOC 2 report is the period of time being covered by the report. A Type I SOC 2 report is issued “as of” a specific date or point in time. A Type I report determines whether an organization’s controls are designed effectively as of a specific date. A Type II SOC 2 report covers a period of time and determines whether a service organization’s controls were designed AND operating effectively during the period. A Type II SOC 2 report can have a period of anywhere between 3 and 12 months, depending on the period that best suits the service organization and its customers. Most times, it makes sense to aim for a period of at least 6 months to provide an accurate depiction of the operating effectiveness of the controls, which in turn provides more value to user organizations and helps to avoid audit fatigue at the organization.
If the organization has decided to start with a Type I SOC 2 report, the process is typically faster than starting with a Type II SOC 2. Since a Type I report only covers a point in time and the design of controls, depending on service auditor availability and their method for conducting fieldwork, if there are little to no control gaps, an organization may be able to complete the first-time audit process and have an audit report in hand within a couple of months.
If the organization has decided to go with a Type II SOC 2 report first, meaning a period of time is being covered, the organization will need to wait the length of the period, typically 6 to 12 months, before a report can be issued. Additionally, the number and types of control gaps identified will greatly impact the amount of time it takes to become SOC 2 compliant, regardless of the type of SOC 2 report being issued. Control gaps identified in the readiness assessment need to be remediated by the service organization prior to the as-of date or starting the audit period for the Type I or Type II SOC 2 report.
How Do You Maintain SOC 2 Compliance?
Once an organization completes its first SOC 2 report, it doesn’t end there. SOC 2 compliance is meant to be ongoing to provide user entities with reasonable assurance over the design and operating effectiveness of the service organization’s controls. Once the first SOC 2 report has been issued, the service organization will then need to maintain its applicable internal controls to demonstrate the operating effectiveness of its controls for the next SOC 2 audit.
There are many ways in which an organization can maintain its internal controls to make sure SOC 2 compliance and the applicable criteria are being met. Methods vary from basic to more complex, such as documenting objectives and control processes in policies that are followed by employees and maintained by process owners, designating a Security Officer to oversee the implementation of and monitoring control activities, to implementing compliance monitoring tools to continuously monitor control activities. Organizations have many options available to them and can turn to their service auditor for recommendations that are appropriate for their control environment.
SOC 2 Compliance Essentials at a Glance
Here are some quick facts about SOC 2 compliance and how to prepare.
- The AICPA has not issued a SOC 2 compliance checklist that contains a list of controls your organization needs to have in place to be SOC 2 compliant.
- The AICPA has provided points of focus to consider when trying to meet the trust services criteria, which can be used to determine the controls that need to be implemented to meet the criteria.
- The five trust services criteria that can be included in a SOC 2 report are: security (or common criteria), availability, confidentiality, processing integrity, and privacy.
- SOC 2 readiness assessments are a best practice for SOC 2 audit preparedness.
- Only licensed CPA firms can issue a SOC 2 report.
- The difficulty level and length of time it takes to undergo your first SOC 2 audit and issue a SOC 2 report are dependent on the scope of the report, report period, and gaps identified during the SOC 2 readiness assessment.
Getting Started with SOC 2: Key Takeaways
Even though the AICPA hasn’t issued an official SOC 2 compliance checklist, in this blog, other guidance was discussed that addressed what SOC 2 compliance entails and procedures to take to get the process started:
- Why do you need a SOC 2? Are your customers asking you for one?
- What is included in the scope of a SOC 2 audit?
- What kind of audit firm can perform a SOC 2 audit, and how much does it cost?
- What do you need to do to prepare for a SOC 2 audit, and how long will it take?
- How do you maintain SOC 2 compliance?
Every organization and its objectives are different, which makes every SOC 2 report and its preparation different. Answering the questions above and working with a quality CPA firm like Linford & Company will help set the organization up for success when starting the SOC 2 compliance journey.
For further questions on how to become SOC 2 compliant, please contact us to request a consultation.
This article was originally published on 4/19/2023 and was updated on 11/5/2025.
Megan Kovash specializes in SOC audits with experience in financial audit, internal audit, and data analytics as well. Megan started her career in 2012 after completing her Masters of Accountancy with the University of Denver. She is a CPA that specializes in IT security audits and started her career at Ernst & Young in Denver, then moved to the Internal Audit Data Analytics group at Charles Schwab. She started with Linford & Co., LLP in 2019 and is a partner with the firm. Megan enjoys working with clients to find and implement solutions that better her client’s business while also meeting audit requirements.