Blog

Your First SOC 2 Type 2 Audit: What to Expect

· The avow team

A step-by-step walkthrough of your first SOC 2 Type 2 audit: scoping, the observation period, evidence requests, sampling, exceptions, and the report.


The one-line version

A SOC 2 Type 2 audit is a licensed CPA firm collecting evidence that your controls actually operated over a period of time — commonly 3 to 12 months — and then writing an opinion about it. Type I tests whether your controls are designed well at a single point in time. Type II tests whether they ran consistently across the whole window. That difference is why Type II takes longer, demands more evidence, and produces the report your customers actually ask for. If the distinction is fuzzy, start with SOC 2 Type I vs Type II.

One vocabulary correction up front, because it trips up every first-timer: you do not get “SOC 2 certified.” A SOC 2 report is an attestation issued under the AICPA’s SSAE 18 standard. There is no certificate and no pass/fail stamp — there is an auditor’s opinion and a detailed report. More on the categories in What Is SOC 2?.

The phases, end to end

Here is the whole flow before we go deep on each part.

PhaseWho drivesWhat actually happensTypical duration
Kickoff & scopingYou + auditorAgree Trust Services Criteria, systems, locations, period1-2 weeks
Observation periodYouControls run; you keep evidence as you go3-12 months
Evidence requests (PBC)Auditor asks, you providePopulate the “provided by client” list2-4 weeks of active work
Fieldwork & testingAuditorSampling, inspection, re-performance, walkthroughs2-6 weeks
Exceptions & responsesBothAuditor notes deviations; you write management responsesOngoing during fieldwork
Report issuanceAuditorDraft, review, final signed report2-4 weeks

Kickoff and scoping

Scoping is where your audit’s cost and difficulty get set, so treat it as a real decision, not paperwork.

Three things get nailed down:

  1. Which Trust Services Criteria. Security (the Common Criteria) is always in scope. Availability, Processing Integrity, Confidentiality, and Privacy are optional and driven by what you actually do and what customers demand. Adding criteria means more controls and more evidence. Do not add Privacy “to look thorough” if no one is asking for it. See the Trust Services Criteria breakdown before you commit.
  2. The system boundary. Which product, which infrastructure, which supporting tools (identity provider, ticketing, cloud accounts, code repos). Sub-service organizations like AWS or GCP get carved out — you rely on their SOC 2, you do not re-audit their data centers.
  3. The observation period. A first Type 2 usually runs 3 to 6 months to get a report out faster; renewals typically run a full 12 months so they tile back-to-back with no gaps. For the timeline math, see How Long Does SOC 2 Actually Take?.

The critical thing about the period: the clock is retrospective. The auditor tests what already happened. You cannot go back and create an access review for a month you skipped. Whatever your controls say they do, they need to have been doing it for the entire window.

The observation period (the part that decides your outcome)

This is where the audit is won or lost, and it happens before the auditor does much of anything. During the period your controls just need to run on schedule and leave a trail:

The failure mode is not “we do not have controls.” It is “we have controls but no timestamped proof they ran in month two.” Collecting evidence continuously, rather than scrambling at the end, is exactly the gap compliance-automation platforms like avow close: they pull evidence from your cloud, identity, and code systems on a schedule, so the period generates its own paper trail.

Evidence requests: the PBC list

When fieldwork starts, the auditor sends a PBC list — “provided by client.” It is a spreadsheet of every artifact they want, mapped to controls. Expect a mix of:

Two things matter enormously here. First, completeness of populations. If you hand over a list of “changes” that is missing three deploys, the auditor cannot trust the whole population, and that undermines every sample drawn from it. Second, screenshots must show context — the URL, the date, the setting. A cropped screenshot with no timestamp gets kicked back and slows everything down.

Sampling and testing

Auditors do not inspect every single event. They sample. For a control that fired 400 times over the period, they might pull a sample of 25 and inspect each one. Sample sizes scale with how often the control runs and how much the auditor relies on it; a control that runs daily gets a bigger sample than one that runs annually.

The testing methods they apply:

Inquiry alone is never enough for Type II; every operating-effectiveness conclusion has to be backed by inspection or re-performance across the sample.

Handling exceptions

An exception is a specific instance where a control did not operate as described — one terminated user whose access lingered a week, one change that shipped without a linked review. Exceptions are normal. A first audit with zero exceptions is rarer than founders assume.

What happens next:

  1. The auditor documents the exception factually.
  2. You get to write a management response — root cause, scope (was it one instance or systemic?), and remediation.
  3. The auditor decides whether the exception is isolated or indicates the control is not operating effectively.

The distinction that matters: an isolated, well-explained exception usually stays in the report as a noted deviation while the control still earns an effective conclusion. A pattern of the same failure means the control failed, which can drive the opinion toward qualified. The most common cause of ugly exceptions is not doing the control at all for part of the period — which loops right back to why the observation period is everything. For the traps that create them, read 5 SOC 2 Mistakes Startups Make.

The final report and the opinion

The auditor drafts the report, you review for factual accuracy (not to soften findings), and the CPA firm signs it. A SOC 2 Type II report contains:

The four opinion types:

OpinionMeaning
UnqualifiedControls were suitably designed and operated effectively. The clean result you want.
QualifiedMostly fine, but one or more controls had a material problem, described specifically.
AdverseControls were not effective. Rare; a serious signal.
DisclaimerThe auditor could not gather enough evidence to form an opinion.

Most well-prepared first audits land an unqualified opinion, sometimes with a few noted exceptions in the test results.

How to prepare so there are no surprises

Prepared teams experience the audit as mostly administrative. Unprepared teams experience it as a month of firefighting over evidence that no longer exists. The difference is entirely in what you did during the observation period, not during fieldwork.