The first time your auditor schedules fieldwork, the panic sets in. Suddenly everyone wants to know: where are the policies? Who approved those deployments? Can we prove our access reviews actually happened?
Audit preparation doesn't have to be a crisis. With the right preparation — starting 90 days out — you can walk into your audit confident and come out with a clean report.
90 Days Before: Establish Your Baseline
Complete a Readiness AssessmentA SOC 2 readiness assessment is essentially a practice audit. Either hire a consultant or conduct it yourself using the AICPA Trust Service Criteria as your guide. Go through each criterion and honestly assess:
- Is this control documented?
- Is it implemented?
- Can you produce evidence it's operating effectively?
Select your CPA firm and schedule your audit early. Good SOC 2 auditors book up quickly. Have an initial call to align on scope, evidence requirements, and the audit timeline.
Ask your auditor specifically:
- What evidence format do they prefer?
- What's their typical request list for companies like yours?
- How far back does the evidence period start?
The scope defines what systems and services are included in your SOC 2 report. A broader scope means more controls to document and more evidence to collect. Keep the scope as narrow as defensible.
Common scope decisions:
- Include only production systems that process customer data
- Exclude internal tools that don't touch customer data
- Clearly document why things are in or out of scope
60 Days Before: Close Your Gaps
Policy Documentation SprintEvery SOC 2 control needs policy support. By now you know which policies are missing or outdated. Fix them.
Required policies for most SOC 2 audits:
- Information Security Policy
- Access Control Policy
- Change Management Policy
- Incident Response Policy
- Vendor Management Policy
- Business Continuity Policy
- Acceptable Use Policy
- Data Classification Policy
- Password Policy
Close your technical gaps in priority order:
Every employee who touches production systems must have documented security training. This is a consistent audit finding for companies that skip it. Run a training session, collect acknowledgments, and save the completion records.
30 Days Before: Evidence Collection Mode
Build Your Evidence RepositoryOrganize evidence by control. Your auditor will request specific documents; having them pre-organized saves frantic searching during fieldwork.
Typical evidence categories:
- Access control: User lists, access review records, HR offboarding tickets for terminated employees
- Change management: Deployment logs, approval records, PR merge histories
- Incident response: Incident log/register with resolution records
- Vendor management: Vendor inventory, questionnaire responses, contract excerpts
- Training: Training completion records
- Vulnerability management: Scan results, remediation tracking
- Backup and DR: Backup completion logs, restore test records
- Monitoring: Alert configuration documentation, log review records
Verify your audit logs are complete and continuous for the audit period. Gaps in logging are a common finding. Check:
- Authentication events (success and failure)
- Privilege escalation events
- Configuration changes
- File access for sensitive data
- Admin actions
Do a practice run. Pretend you're the auditor and ask your team for evidence of each control. Identify anything you can't produce evidence for and close those gaps before your real audit.
During Fieldwork: How to Navigate Auditor Requests
Respond QuicklyAuditors work on tight timelines. When they request evidence, respond within 24-48 hours. Slow responses extend fieldwork and increase cost.
Be Honest About ExceptionsIf a control wasn't operating perfectly for the entire audit period, say so. Auditors find exceptions. It's better to disclose them proactively and show your remediation than to have the auditor discover them through evidence review.
A qualified opinion (with exceptions) is manageable. Providing misleading evidence is not.
Designate a Point of ContactAssign one person to coordinate with the auditor and own all evidence requests. Auditors hate chasing multiple people for answers.
Maintain Audit Logs During FieldworkKeep doing everything correctly during the audit period. Don't let controls slip because you're focused on the audit itself. Evidence review often continues right up to the end.
Common Last-Minute Mistakes
Backdating documentation — Don't. Auditors are trained to detect this. Timestamps on files, git commits, and system logs tell a story that inconsistencies in your documents contradict. Creating policies that don't match practice — If your password policy says 12+ characters but your systems allow 8, that's a finding. Make sure policies reflect reality. Forgetting about offboarding evidence — When employees leave, you need evidence that their access was removed promptly. Auditors check termination dates against access removal dates. Ignoring third-party services — Your auditor will ask about the shared responsibility model. Have SOC 2 reports or security documentation from your critical cloud providers ready. Not testing your DR plan — "We have a backup" is not the same as "we've tested that we can restore from backup." Test it before your audit.Using Automated Monitoring to Streamline Audits
The companies that breeze through SOC 2 audits have one thing in common: continuous monitoring. They don't scramble to find evidence because they've been collecting it automatically all year.
OuterSec generates audit-ready compliance reports from continuous monitoring data. When your auditor asks for evidence that your security controls operated effectively over the audit period, you export a report — not a panic.Start your audit preparation with a compliance scan. See exactly where you stand across all SOC 2 criteria before your auditor does.