SOC 2 Audit Prep SOP

Sub-procedure of soc2-gap-sop.md

Overview

Detailed procedures for preparing organizations for SOC 2 Type I or Type II audits, including auditor selection guidance, evidence organization, personnel preparation, and pre-audit readiness validation. This sub-procedure covers the final preparation phase before auditor engagement.

Scope

Parent SOP: SOC 2 Gap Assessment Pillar: Protect (Security & Compliance) Service Area: SOC 2 Audit Preparation

Prerequisites

• Parent SOP requirements met
• SOC 2 readiness assessment completed
• Critical and high-priority gaps remediated
• Control documentation finalized
• System description approved
• Audit budget approved

Procedure

Step 1: Auditor Selection

Objective: Select appropriate CPA firm for SOC 2 audit

Selection Criteria:

Factor	Weight	Evaluation Approach
AICPA Membership	Required	Verify CPA license and SOC 2 authorization
Industry Experience	High	Request relevant client references
Size Fit	Medium	Match firm size to engagement complexity
Pricing	Medium	Compare quotes (audit days x day rate)
Timeline	Medium	Availability for target audit window
Communication Style	Medium	Assess during proposal process

Auditor Types:

Type	Best For	Typical Cost Range
Big 4	Enterprise, M&A readiness	$80,000-$200,000+
Regional Firms	Mid-market, quality focus	$30,000-$80,000
Boutique Firms	Startups, cost-conscious	$15,000-$40,000

RFP Process:

1. Develop RFP with scope, timeline, requirements
2. Send to 3-5 qualified firms
3. Evaluate proposals against criteria
4. Conduct finalist interviews
5. Check references
6. Select and engage auditor

Auditor Selection Checklist:

• Verified AICPA membership and SOC 2 qualifications
• Obtained 3+ proposals for comparison
• Checked references from similar organizations
• Confirmed availability for target audit window
• Reviewed sample report for quality
• Negotiated pricing and payment terms
• Executed engagement letter

Step 2: Evidence Organization

Objective: Prepare evidence package for efficient audit execution

Evidence Organization Structure:

/SOC2-Evidence/
├── CC1-Control-Environment/
│   ├── Org-Structure/
│   ├── Board-Oversight/
│   └── HR-Policies/
├── CC2-Communication/
│   ├── Security-Awareness/
│   └── Policy-Distribution/
├── CC3-Risk-Assessment/
│   ├── Risk-Assessments/
│   └── Risk-Register/
├── CC4-Monitoring/
│   ├── Control-Monitoring/
│   └── Deficiency-Tracking/
├── CC5-Control-Activities/
│   ├── Policies/
│   └── Procedures/
├── CC6-Access/
│   ├── User-Access/
│   ├── Privileged-Access/
│   └── Physical-Access/
├── CC7-Operations/
│   ├── Vulnerability-Mgmt/
│   ├── Monitoring/
│   └── Incident-Response/
├── CC8-Change-Mgmt/
│   ├── SDLC/
│   ├── Testing/
│   └── Deployment/
├── CC9-Risk-Mitigation/
│   ├── Vendor-Mgmt/
│   └── BCP-DR/
└── Additional-Categories/
    ├── Availability/
    ├── Confidentiality/
    ├── Processing-Integrity/
    └── Privacy/

Evidence Naming Convention: [CC#]_[ControlID]_[Description]_[Date].[ext] Example: CC6_AC01_AccessReview_2026Q1.xlsx

Evidence Quality Standards:

Standard	Requirement
Completeness	Covers full audit period (Type II) or point-in-time (Type I)
Accuracy	Reflects actual control operation
Relevance	Directly supports control being tested
Timeliness	Within audit period, dated appropriately
Authenticity	From authoritative source, not modified

Step 3: System Description Finalization

Objective: Complete SOC 2 report Section III/IV system description

System Description Sections:

Section	Content	Owner
Company Overview	Business description, history, structure	Marketing/SBK
Services Provided	Detailed service description	Product/SBK
System Components	Infrastructure, software, people, procedures, data	IT/SBK
System Boundaries	Scope definition, exclusions	SBK
Subservice Organizations	Third-party dependencies, carve-out/inclusive	SBK
Service Commitments	Contractual obligations, SLAs	Legal/SBK
Principal Service Commitments	Key commitments being tested	SBK
CUECs	Customer responsibilities	SBK

System Description Review Checklist:

• Accurately reflects current operations
• All in-scope systems documented
• Subservice organizations properly identified
• Boundaries clearly defined
• Service commitments aligned with contracts
• CUECs appropriate for customer base
• Legal review completed
• Executive approval obtained

Step 4: Personnel Preparation

Objective: Prepare team members for auditor interactions

Audit Team Roles:

Role	Responsibilities
Executive Sponsor	Final authority, auditor relationship
Audit Coordinator	Primary auditor contact, logistics
Control Owners	Provide evidence, answer questions
Technical SMEs	Demonstrate technical controls
HR Representative	Workforce-related evidence
Legal Counsel	Legal/compliance questions

Interview Preparation:

Preparation Area	Activities
Control Knowledge	Review control descriptions and expected operation
Evidence Familiarity	Know location and content of supporting evidence
Common Questions	Practice responses to typical auditor inquiries
Scope Awareness	Understand what's in and out of scope
Escalation Path	Know when to defer to other team members

Interview Guidelines:

1. Answer only what is asked - Don't volunteer additional information
2. Be honest - If you don't know, say so
3. Stay in scope - Redirect out-of-scope questions
4. Provide evidence - Offer to show documentation when relevant
5. Take notes - Document what was discussed
6. Follow up promptly - Provide requested items quickly

Step 5: Pre-Audit Readiness Validation

Objective: Confirm readiness before auditor fieldwork

Readiness Validation Checklist:

Area	Validation Activity	Status
Evidence	All evidence collected and organized	☐ Complete
Gaps	All critical/high gaps remediated	☐ Complete
System Description	Final version approved	☐ Complete
Control Matrix	Mapping complete and accurate	☐ Complete
Personnel	Audit team briefed and available	☐ Complete
Logistics	Meeting rooms, access, schedules confirmed	☐ Complete
Technology	Demo environments ready	☐ Complete

Mock Audit (Optional):

Activity	Purpose	Duration
Sample Testing	Validate evidence quality	1-2 days
Control Walkthroughs	Practice demonstrations	0.5-1 day
Interview Practice	Prepare team members	0.5 day
Gap Identification	Final gap sweep	0.5 day

Step 6: Audit Logistics

Objective: Prepare for efficient audit execution

Audit Schedule Planning:

Phase	Duration (Type I)	Duration (Type II)
Planning/Kickoff	1-2 days	1-2 days
Fieldwork	3-5 days	5-10 days
Wrap-up	1-2 days	2-3 days
Report Drafting	2-4 weeks	3-6 weeks
Report Finalization	1-2 weeks	1-2 weeks

Logistics Checklist:

• Conference room reserved for audit period
• Secure file sharing established (portal or secure drive)
• Auditor system access provisioned (if needed)
• Interview schedule coordinated with participants
• Daily sync meeting scheduled with auditor
• Escalation contacts documented
• Backup personnel identified for key roles

Deliverables

Deliverable	Format	Owner
Auditor Selection Summary	Document	SBK Lead
Evidence Package	Organized folder structure	Audit Coordinator
Final System Description	Word/PDF	SBK Consultant
Control Matrix	Excel	SBK Consultant
Interview Preparation Guide	Document	SBK Consultant
Audit Schedule	Calendar/Project plan	Audit Coordinator
Readiness Validation Report	Checklist	SBK Lead

Quality Gates

• Auditor selected and engaged
• All evidence collected and organized
• System description finalized and approved
• Control matrix complete and mapped
• Audit team briefed and prepared
• Logistics confirmed
• Mock audit completed (if applicable)
• Readiness validation passed

Related Documents

• Parent SOP: SOC 2 Gap Assessment
• SOC 2 Readiness SOP
• SOC 2 Evidence Collection SOP
• SOC 2 Ongoing Compliance SOP
• Cross-Pillar SOPs

---

Last Updated: February 2026 Parent SOP: soc2-gap-sop.md