A SOC 2 Type II audit evaluates whether your organization’s controls are designed effectively and operating consistently over a review period, typically 6 to 12 months. The audit itself takes weeks. But the preparation that determines whether you pass or fail starts months earlier.
This 90-day checklist provides a structured, week-by-week plan for getting your organization ready for a SOC 2 Type II audit. Whether this is your first audit or you are tightening your program for a renewal, this template gives you a concrete timeline and actionable tasks.
If you are still learning about SOC 2 fundamentals, start with our complete SOC 2 compliance guide before diving into this preparation checklist.
Understanding the SOC 2 Framework
SOC 2 is a compliance framework developed by the American Institute of Certified Public Accountants (AICPA) based on the Trust Services Criteria. It evaluates an organization’s controls in up to five categories:
- Security (required for every SOC 2 audit) — Protection against unauthorized access
- Availability — System uptime and accessibility commitments
- Processing Integrity — Accuracy and completeness of data processing
- Confidentiality — Protection of confidential information
- Privacy — Collection, use, and retention of personal information
Most organizations pursuing SOC 2 for the first time focus on Security plus one or two additional criteria relevant to their business. Adding more criteria increases the scope, cost, and preparation effort.
Type I vs Type II
- SOC 2 Type I evaluates whether controls are properly designed at a single point in time
- SOC 2 Type II evaluates whether controls are designed properly and operating effectively over a period of time (minimum 6 months)
Type II is what customers and prospects expect. A Type I can serve as a stepping stone, but your goal should be Type II readiness.
The 90-Day SOC 2 Audit Preparation Checklist
Phase 1: Assessment and Planning (Days 1-30)
Week 1: Define Scope and Assemble Your Team
- Select Trust Services Criteria. Determine which criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) are relevant based on customer contracts, sales requirements, and business operations.
- Identify in-scope systems. Map every system, application, infrastructure component, and third-party service that stores, processes, or transmits customer data. Include cloud environments, SaaS tools, CI/CD pipelines, and employee endpoints.
- Assign an internal audit lead. Designate someone responsible for coordinating the SOC 2 program. This person drives the 90-day plan and serves as the primary contact with the auditor.
- Form a cross-functional compliance team. Include representatives from engineering, IT operations, HR, and legal. Each function owns controls within their domain.
- Select your auditor (if not already chosen). Choose a CPA firm experienced in SOC 2 audits for your industry and size. Request proposals, check references, and confirm their availability for your target audit window.
- Define the audit period. Work with your auditor to establish the observation period. For a first-time Type II, plan for a 6-month minimum review window.
Week 2: Conduct a Gap Assessment
- Map current controls to Trust Services Criteria. Use the AICPA Trust Services Criteria document to identify every control point. For each criterion, document what controls you currently have in place.
- Identify gaps. Flag criteria where you have no control, an informal control (undocumented), or a control that is not consistently applied.
- Assess evidence availability. For each existing control, determine whether you can produce evidence that the control operated effectively. Evidence includes logs, screenshots, configuration exports, tickets, and approval records.
- Prioritize gaps by risk and effort. Categorize each gap as critical (must fix before audit), important (should fix), or minor (low risk). Focus remediation on critical gaps first.
- Document current state in a readiness report. Summarize findings so leadership understands the work required and can allocate budget and resources.
Week 3: Develop Your Control Framework
- Create a control matrix. Build a spreadsheet or use a GRC platform to map each Trust Services Criteria point to a specific control, control owner, evidence type, and collection frequency.
- Write or update security policies. At minimum, you need: Information Security Policy, Access Control Policy, Change Management Policy, Incident Response Policy, Data Classification Policy, Acceptable Use Policy, Vendor Management Policy, and Business Continuity/Disaster Recovery Policy. Review our guide on creating an incident response plan for a template.
- Define control procedures. Policies state what you do. Procedures explain how you do it. Document step-by-step procedures for each control.
- Establish a risk assessment process. SOC 2 requires a formal risk assessment. Document your methodology for identifying, evaluating, and mitigating risks. Update it at least annually.
Week 4: Address Quick Wins and Plan Remediation
- Enable MFA on all critical systems. Multi-factor authentication on production systems, cloud consoles, code repositories, and email is table stakes for SOC 2. There are no exceptions.
- Review and tighten access controls. Conduct an access review across all in-scope systems. Remove stale accounts, enforce least privilege, and document who has access to what and why.
- Enable audit logging. Ensure that all in-scope systems generate and retain audit logs. Centralize logs in a SIEM or log management platform. Verify log retention meets your policy (typically 1 year).
- Create a remediation project plan. For each critical and important gap identified in Week 2, assign an owner, set a deadline, and track progress. This plan drives the next 60 days.
- Draft your System Description. The System Description is a required component of the SOC 2 report. It describes your system boundaries, infrastructure, software, people, procedures, and data. Start drafting now — it takes multiple revisions to get right.
Phase 2: Implementation and Remediation (Days 31-60)
Week 5: Technical Controls — Infrastructure Security
- Harden cloud configurations. Review security groups, network ACLs, storage permissions, and IAM policies against CIS Benchmarks for your cloud platform.
- Implement encryption at rest and in transit. Ensure all customer data is encrypted using AES-256 or equivalent at rest and TLS 1.2+ in transit. Document encryption key management procedures.
- Deploy endpoint protection. All employee endpoints and servers should run endpoint detection and response (EDR) software with centralized management and alerting.
- Configure vulnerability scanning. Implement automated vulnerability scanning on a regular cadence (weekly for infrastructure, with each build for applications). Document your process for triaging and remediating findings.
- Review network segmentation. Ensure production environments are segmented from development, staging, and corporate networks. Document firewall rules and network architecture.
Week 6: Technical Controls — Application and Data Security
- Review application security controls. Verify input validation, authentication mechanisms, session management, and authorization controls in your application.
- Implement or verify backup procedures. Confirm that backups run on schedule, are encrypted, and are stored in a separate location. Test a backup restoration to verify integrity.
- Configure alerting and monitoring. Set up alerts for security events: failed login attempts, privilege escalations, configuration changes, and anomalous activity. Ensure alerts route to the right team with defined response SLAs.
- Document your SDLC. SOC 2 auditors evaluate your software development lifecycle. Document code review requirements, testing procedures, deployment processes, and change approval workflows.
- Conduct a penetration test (or schedule one). While not strictly required for SOC 2, a penetration test demonstrates due diligence and often identifies gaps your internal scans miss. Results should be documented and findings remediated.
Week 7: Administrative Controls — HR and Operations
- Implement background checks for new hires. Document your background check policy and ensure it applies to all employees with access to in-scope systems.
- Create a security awareness training program. All employees should complete security awareness training at onboarding and annually thereafter. Document completion records — auditors will request them.
- Formalize your onboarding and offboarding procedures. Document the process for provisioning access when employees join and revoking access when they leave. Access removal should happen within 24 hours of termination.
- Establish a vendor management program. Identify all third-party vendors that access, process, or store customer data. Collect their SOC 2 reports (or equivalent security documentation), assess risk, and document your review. For more on navigating compliance standards across your vendor ecosystem, review our compliance guide.
- Document business continuity and disaster recovery plans. Define your RTO and RPO targets, document recovery procedures, and schedule a tabletop exercise or DR test.
Week 8: Evidence Collection System
- Set up your evidence repository. Create an organized folder structure (or configure your GRC tool) to store evidence by control. Use consistent naming conventions and version control.
- Automate evidence collection where possible. Use APIs and integrations to automatically pull configuration snapshots, access lists, and compliance reports from your cloud platforms and tools.
- Collect initial evidence for each control. For every control in your matrix, gather at least one piece of evidence demonstrating implementation. This validates that your controls produce auditable artifacts.
- Establish evidence collection cadences. Define how frequently evidence is collected for each control (real-time, daily, weekly, monthly, quarterly). Assign responsibility for each collection task.
- Conduct an internal evidence review. Have someone other than the control owner review the evidence for completeness and clarity. If evidence is confusing or incomplete now, it will be during the audit too.
Phase 3: Validation and Final Preparation (Days 61-90)
Week 9: Internal Audit and Mock Assessment
- Conduct an internal audit. Walk through every control in your matrix. Verify that the control operates as documented, evidence is available, and the control owner can explain and demonstrate the control.
- Identify and remediate remaining gaps. Any controls that fail the internal audit need immediate attention. Assign owners and track remediation to closure.
- Perform a mock audit walkthrough. Simulate the auditor experience. Have a team member (or consultant) role-play as an auditor, request evidence, interview control owners, and identify weaknesses in your responses.
- Update the System Description. Revise your System Description to reflect all changes made during the remediation phase. Ensure it accurately describes your current environment.
Week 10: Employee Readiness
- Train control owners for interviews. Auditors will interview key personnel. Prepare control owners to explain their controls, demonstrate how they work, and point to evidence. Practice common auditor questions.
- Verify security training completion. Confirm that all employees have completed security awareness training and that records are available.
- Conduct a tabletop incident response exercise. Walk through a simulated security incident with your response team. Document the exercise, findings, and any process improvements. Auditors look for evidence of tested incident response capabilities.
- Review and confirm all access is current. Conduct a final access review to ensure no stale accounts remain and all access aligns with the principle of least privilege.
Week 11: Documentation Review
- Review all policies for accuracy and completeness. Ensure policies reflect actual practices. Policies that describe aspirational controls rather than implemented ones create audit findings.
- Verify document version control. All policies and procedures should have version numbers, approval dates, and evidence of management review and approval.
- Confirm all evidence is organized and accessible. Walk through your evidence repository. Ensure every control has corresponding, clearly labeled evidence. Remove outdated or irrelevant artifacts.
- Prepare an evidence request list response. Your auditor will send an initial evidence request list (also called a PBC — Prepared by Client list). Pre-populate responses and stage evidence so you can respond quickly when the list arrives.
- Finalize your risk assessment. Complete or update your annual risk assessment. Document risks, mitigations, and residual risk acceptance decisions.
Week 12: Final Preparations
- Send the System Description to your auditor for preliminary review. Getting early feedback reduces revisions during fieldwork.
- Schedule audit fieldwork logistics. Confirm dates, remote access requirements, interview schedules, and point-of-contact assignments with your auditor.
- Brief leadership. Ensure executives understand the audit process, timeline, and their potential involvement (management representation letter, interviews).
- Create an audit communication plan. Designate a single point of contact for auditor requests. Define internal escalation procedures for evidence requests that cannot be fulfilled quickly.
- Perform a final confidence check. Review your control matrix one last time. For each control, confirm: it is implemented, it is documented, evidence exists, and the control owner is prepared. Flag any remaining concerns and address them before fieldwork begins.
SOC 2 Audit Preparation: Key Success Factors
Start with Scope Control
The single most impactful decision in SOC 2 preparation is scope. Every system, application, and service within scope requires controls, evidence, and ongoing maintenance. Minimize scope by segmenting environments and isolating customer data to defined boundaries. This reduces cost, complexity, and audit risk.
Invest in Automation
Manual evidence collection does not scale. Organizations that rely on screenshots and spreadsheets for their first audit quickly find the process unsustainable for renewals. Invest in automation tools early — cloud-native security and compliance services can significantly reduce the ongoing burden of maintaining SOC 2 compliance.
Treat SOC 2 as an Operating Model
SOC 2 is not a one-time project. Type II audits recur annually. The controls, processes, and evidence collection must operate continuously. Build SOC 2 compliance into your daily operations rather than treating it as a periodic sprint.
Common Reasons Audits Fail
- Incomplete or inconsistent evidence. Controls existed but evidence was not collected during the review period.
- Policies that do not match reality. A policy states quarterly access reviews, but no access reviews were performed.
- Missing security training records. Employee training was conducted but not documented.
- Gaps in access management. Terminated employees retained access, or access reviews were not conducted on schedule.
- Insufficient monitoring and alerting. Logs existed but were not reviewed, or alerts were configured but not acted upon.
Tools That Support SOC 2 Preparation
While not an endorsement, these tool categories commonly support SOC 2 programs:
| Category | Purpose | Examples |
|---|---|---|
| GRC Platforms | Automate evidence collection, manage controls | Vanta, Drata, Secureframe |
| SIEM | Centralized log management and alerting | Microsoft Sentinel, Splunk, Elastic |
| EDR | Endpoint detection and response | CrowdStrike, Microsoft Defender for Endpoint |
| Identity Management | Access control and SSO | Entra ID, Okta |
| Vulnerability Scanning | Automated security assessments | Qualys, Tenable, Rapid7 |
| Backup and DR | Data protection and recovery | Azure Backup, Veeam |
Frequently Asked Questions
How long does it take to prepare for a SOC 2 Type II audit?
Most organizations need 6 to 12 months of total preparation before their first Type II audit. This 90-day checklist assumes you already have some foundational security controls in place. If you are starting from zero, add 3 to 6 months for implementation before beginning this checklist.
How much does a SOC 2 audit cost?
Audit fees from CPA firms typically range from $30,000 to $100,000+ depending on scope, complexity, and the number of Trust Services Criteria included. Implementation costs (tools, consultants, personnel time) add significantly to total program cost. GRC automation platforms typically run $10,000 to $50,000 annually.
Can we do SOC 2 in-house, or do we need a consultant?
The audit itself must be performed by a licensed CPA firm. Preparation can be done in-house if you have staff with compliance expertise. Many organizations, particularly those pursuing SOC 2 for the first time, engage consultants for gap assessment and readiness support. Exodata provides comprehensive compliance services that include SOC 2 readiness assessment and remediation support.
What is the difference between SOC 2 and ISO 27001?
SOC 2 is an attestation report issued by a CPA firm based on the AICPA Trust Services Criteria. ISO 27001 is a certification issued by an accredited certification body based on the ISO/IEC 27001 standard. Both address information security, but they have different structures, assessment approaches, and market expectations. SOC 2 is more common in North America; ISO 27001 has broader international recognition.
Do we need a SOC 2 Type I before Type II?
No. A Type I is not a prerequisite for Type II. Some organizations skip Type I entirely and go straight to Type II. However, a Type I can be useful as a milestone to demonstrate progress to customers while you build the operating history needed for Type II.
What happens during SOC 2 audit fieldwork?
During fieldwork, the auditor will: request and review evidence for each control, interview control owners and key personnel, test a sample of transactions and events to verify control operation, review system configurations and security settings, and evaluate management’s risk assessment process. Fieldwork typically takes 2 to 6 weeks depending on scope.
Get Started
SOC 2 compliance signals to customers and prospects that you take security seriously and have the operational maturity to protect their data. The 90-day timeline in this checklist is ambitious but achievable with dedicated resources and clear ownership.
If you need expert guidance on SOC 2 preparation, from initial gap assessment through audit readiness, Exodata’s compliance team can help you build a program that passes the audit and strengthens your actual security posture. Learn more about our approach to IT compliance or explore how a SOC 2 program fits into your broader compliance strategy.