SOC 2 Audits: What You Can Expect From Start to Finish

A SOC 2 audit is an analysis of the policies, processes, and technology in place to protect the data your company manages, processes, and stores.
Richard Stevenson

by Richard Stevenson

May 30, 2023
SOC 2 Audit Hero Image

Companies that undergo a SOC 2 audit are taking a big step in their compliance journey. They’ll need to provide documentation around their security program and proof of internal controls, but is there more to prepare for? 

Knowing what to expect with a SOC 2 audit is the key to ensuring the entire process goes smoothly. Below, we cover the SOC 2 audit process, audit requirements, and tips to help you prepare.

What Is a SOC 2 Audit?

A SOC 2 audit is an analysis of the policies, processes, and technology in place to protect the data your company manages, processes, and stores. SOC 2 audits are conducted against the AICPA’s Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.

There are two types of SOC 2 audits:

  • SOC 2 Type 1: This audit measures a company’s security at a point in time. 

  • SOC 2 Type 2: This audit measures a company’s security over a period of time.

Who Can Perform a SOC 2 Audit?

A licensed certified public accountant (CPA) firm must perform a SOC 2 audit, and firms must adhere to specific professional standards established by the AICPA.

All CPA firms that perform attestation under AICPA standards also undergo peer reviews, which confirm that their practices align with attestation standards from the AICPA. Other professionals with relevant experience may participate in the audit process, but a CPA firm will sign and issue the final report. 

It’s up to you to find a CPA firm to work with. Though they’ll be moving toward the same goal, each firm will have a slightly different approach to the SOC audit process.

What Is a SOC 2 Audit Report?

After the CPA firm completes their audit, they’ll issue their findings in a SOC 2 audit report. This report details the auditor’s opinion on your security, availability, processing integrity, confidentiality, and privacy controls. We break down each of the audit report sections below.

What’s Included in a SOC 2 Audit Report?

 A SOC 2 audit report is broken into four key sections: 

  • Auditor report: Also known as an opinion letter, this section includes the auditor’s summary of their audit findings and the overall opinion they are issuing. 

  • Management assertion: This is where you (the business owner) and your management discuss the audit from a business perspective rather than the auditor’s perspective.

  • Description of the system or service: This section is authored by you (the business owner) and includes an overview of your company and its systems, teams, and security controls. 

  • Test results: This section is authored by the auditor and covers how they tested your controls and the results of that testing. 

  • Additional Information: This section is not included in all SOC 2 reports. If there are findings identified during the audit, they would be included here along with your response to the findings. It may also contain information you choose to include that was outside of the scope of the audit.

SOC 2 Audit Process: What You Can Expect  

Once you’ve found a CPA firm and lay the groundwork for your internal controls, you can walk through the steps to actually complete the audit. Here’s a look at what needs to happen during the process.

SOC 2 Audit Process

1. Define Your Scope

You will need to assess several parts of your business as part of the audit. 

This will include your company’s: 

  • Tech stack

  • Data flows

  • Infrastructure

  • Business processes

  • People

Discuss the scope with your SOC 2 auditor in advance so you can gather all the information you need for a successful audit and to ensure the scope will cover a broad range of customer needs.

Determining which Trust Service Categories (TSC) to include will also be part of scoping. Security is the only category required to achieve SOC 2 compliance. However, there are other categories, including availability, confidentiality, processing integrity, and privacy. Every category doesn’t necessarily need to be part of all audits because each one will not apply to every company. 

If you don’t consider the categories you need to adhere to, you’ll get an incomplete picture of what’s actually necessary to protect your information, and you won’t be able to show your commitment to compliance. That’s why it’s critical to include this step in your planning before the actual audit begins.

2. Prepare for Audit Fieldwork

After you provide all the necessary information to your auditor, they will review evidence for each in-scope control. They may also schedule walkthrough meetings with you to obtain an understanding of controls through observation. They may ask for clarification on the evidence provided or request additional evidence. 

Specifically during a SOC 2 Type 2 audit, your auditor may need to request populations (a collection of data and documents related to your controls) and randomly select samples to ensure controls operated over a period of time. 

Controls that may require populations and samples may include: 

  • New hire onboarding

  • Access removal for terminated employees

  • Background checks

  • Security awareness training

  • Code reviews for application changes

3. Receive the Final Report

Once the auditor completes the fieldwork, they will determine if any control exceptions were identified based on the evidence provided (or lack of evidence provided) for each control tested. 

The results will be documented in an extensive report that includes a description of your internal control environment. Typically, audit firms will provide you with a draft report for your review before issuing the signed report. Upon approval of the draft, your auditor will request your signature on a management assertion letter and a management representation letter.

They will then perform a final subsequent event inquiry to determine if significant events took place after the audit period that materially impacted your internal control environment, such as significant information security incidents or changes to the organizational structure. Once these steps are completed, you’ll receive your final SOC 2 report.

How Long Will It Take To Complete a SOC 2 Audit? 

Completing an audit can be time-consuming and complex, but knowing how long the process takes from start to finish will make it easier to plan for and work through. Depending on the type and scope of an audit, the entire process—from the start of fieldwork to issuing the final report—will take an average of four to eight weeks.

How Long Does it Take to Complete a SOC 2 Audit

How Can You Avoid SOC 2 Audit Delays?

It can take a long time to gather necessary evidence and make your team available for the auditor. If your evidence collection is delayed, the reporting process and the day you get your report may be pushed back. Make sure to obtain an audit timeline from your auditor so you are aware of the key milestones and your responsibilities for ensuring each milestone is met.

The system description can also cause delays if it’s poorly written—a common mistake companies make with SOC 2 compliance. Be sure to work with your auditor early on in the process to ensure you include the required information and avoid this setback.

How Drata Can Help You Simplify the SOC 2 Audit Process

For those going through the SOC 2 compliance process for the first time, it can be a lot to wrap your head around. That’s where Drata comes in. 

Our platform can help you understand the ins and outs of SOC 2 and automate what you can to make the entire process easier. Schedule a demo with our team to learn more about how Drata can help you achieve and maintain continuous compliance.

Trusted Newsletter
Resources for you
SOC 2 Guide List Image

SOC 2 Compliance: A Beginner's Guide

SOC 2 vs SOC 3 hero image

SOC 2 vs. SOC 3: How Are They Different?

A Guide to SOC 2 Controls

SOC 2 Controls: What You Need to Satisfy Trust Services Criteria

Richard Stevenson
Richard Stevenson
Richard Stevenson is Manager of Compliance Advisory Services at Drata. He advises customers on building sound cybersecurity risk management programs and security policies that meet security compliance requirements. Richard is an AWS Certified Cloud Practitioner, CompTIA CySA+, and Shared Assessment Certified Third-Party Risk Assessor specializing in SOC 2, ISO 27001, NIST 800-53, NIST 800-171, SOX, HIPAA, third-party risk management, and enterprise risk management.

2023 Compliance Trends Report

Drata surveyed 300 established and enterprise organizations to tap the pulse of the state of risk and compliance. In doing so, we identified related trends, perceptions, and how compliance impacts the business. This year, the primary takeaway is that a mature compliance program will accelerate a business, not slow it down.

Image - 2023 Compliance Trends Report
Related Resources
SOC 2 Guide List Image

SOC 2 Compliance: A Beginner's Guide

SOC 2 vs SOC 3 hero image

SOC 2 vs. SOC 3: How Are They Different?

A Guide to SOC 2 Controls

SOC 2 Controls: What You Need to Satisfy Trust Services Criteria