What is a SOC 2 Audit?

A SOC 2 audit is an independent examination of how a service organisation manages customer data against the Trust Services Criteria. Carried out by a licensed CPA firm under AICPA standards, it results in an attestation report, not a certificate, that buyers use as evidence your security and privacy controls are designed and operating properly.

What a SOC 2 audit is

SOC 2 stands for System and Organization Controls 2. It is an attestation engagement defined by the American Institute of Certified Public Accountants (AICPA), in which an independent auditor examines the controls a service organisation uses to protect customer data and reports an opinion on them. It is not a certification and there is no pass mark or badge; the output is a report a reader can rely on.

The distinction matters. ISO 27001 results in a certificate issued by an accredited body. SOC 2 results in an attestation report written by a CPA firm, describing your systems, the controls you have in place, the tests the auditor performed and the auditor’s opinion. SaaS companies usually pursue SOC 2 because a customer’s procurement or security team has asked for the report before they will sign.

Who performs a SOC 2 audit

A SOC 2 audit can only be performed by a licensed CPA firm. The AICPA owns the SOC framework and its attestation standards, so the auditor issuing the report must be a certified public accounting firm or an individual CPA in good standing. A consultancy can help you prepare, but it cannot issue the report; that independence is what gives the report its value to a reader.

This is a common point of confusion. The firm that helps you build and test your controls should not be the same firm that audits them, and a credible auditor will decline the engagement if it would compromise their independence. When you choose an auditor, look for genuine experience with SaaS service organisations and clarity on scope, timeline and what evidence they expect.

The Trust Services Criteria

A SOC 2 audit assesses your controls against the AICPA’s Trust Services Criteria. Security, also called the Common Criteria, is the only category every SOC 2 report must include. The other four are optional and you select them based on the commitments you make to customers and the nature of your service.

Trust Services CriterionWhat it covers
Security (Common Criteria)Protection of systems and data against unauthorised access. Mandatory in every report.
AvailabilityThat the system is available for operation and use as committed.
Processing IntegrityThat system processing is complete, valid, accurate and timely.
ConfidentialityThat information designated as confidential is protected as committed.
PrivacyThat personal information is collected, used, retained and disposed of in line with the entity’s commitments.

Most SaaS companies scope their first audit to Security alone, or Security plus Availability, and add further criteria later as customer commitments grow. Choosing more criteria than your customers actually ask for adds evidence and effort without adding value, so scope deliberately.

SOC 2 Type 1 vs Type 2

There are two kinds of SOC 2 report. A Type 1 report examines whether your controls are suitably designed at a single point in time. A Type 2 report goes further and examines whether those controls operated effectively over a period, typically somewhere between three and twelve months, with the auditor testing evidence drawn from across that window.

Type 1 is faster to obtain because it is a snapshot; Type 2 carries more weight because it shows the controls work in practice over time, which is what most enterprise buyers eventually want. A common path is to obtain a Type 1 first to satisfy an immediate sales requirement, then move into a Type 2 observation period. We compare the two in detail in our guide to SOC 2 Type 1 vs Type 2.

What the SOC 2 audit process involves

The work divides into a readiness phase you run yourself, and the formal examination the auditor performs. Getting the first phase right is what determines whether the audit goes smoothly.

  1. Scoping. Decide which Trust Services Criteria apply and which systems, locations and people are in scope, based on what you commit to customers.
  2. Gap assessment. Compare your current controls against the criteria in scope and identify what is missing or weak before an auditor sees it.
  3. Remediation. Put the missing controls in place and, importantly, run them long enough to generate evidence, which matters most for a Type 2.
  4. The examination. The CPA firm reviews your control descriptions, tests evidence and, for a Type 2, samples across the observation period.
  5. The report. The auditor issues the attestation report, describing your systems, the controls, the tests performed and their opinion. You share it with customers under NDA.

If you are approaching this for the first time, our guide on how to prepare for your first SOC 2 audit walks through the readiness phase in practical detail.

How long a SOC 2 audit takes and what drives the cost

The auditor’s fieldwork for a Type 1 is comparatively short. A Type 2 spans the observation period itself, so the elapsed time is governed by how long you choose to observe controls operating, not just by the auditor’s testing. The bigger variable for most companies is the readiness work that precedes the audit, which depends on how mature your controls already are.

There is no fixed price for a SOC 2 audit, and any single figure quoted online should be treated with caution. The real cost is driven by a handful of factors: the number of Trust Services Criteria in scope, the size and complexity of the systems being examined, how mature your existing controls are, whether you are doing a Type 1 or a Type 2, and the CPA firm’s own fees. Readiness effort is usually the largest cost, which is exactly what a structured engagement is designed to contain.

Common delays to avoid

Most SOC 2 timelines slip for predictable reasons. Three traps account for the bulk of them.

  • Skipping the gap assessment and going straight to the auditor. If you let the audit itself surface your control gaps, you discover them at the most expensive possible moment. A gap assessment first means you fix problems on your own schedule rather than mid-examination.
  • Underestimating evidence collection. A Type 2 needs evidence that controls operated throughout the period, not just that they exist today. Teams that wait until fieldwork to assemble access reviews, change logs and monitoring records find the evidence simply is not there, and the period effectively restarts.
  • Scoping too broadly, too early. Including every Trust Services Criterion and every system on the first attempt multiplies the controls you must operate and evidence. Scope to what your customers actually require now, then expand in later reports.

How Atoro helps

Atoro is Europe’s first ISO 42001 certified consultancy, with more than 200 certifications delivered across security and compliance. We prepare SaaS companies for SOC 2: scoping the right Trust Services Criteria, running the gap assessment, building and embedding controls, and getting your evidence in order before the CPA firm begins. We do not issue the report, your independent auditor does, which is how it should be. See our SOC 2 implementation service for how the engagement works.

SOC 2 audit FAQs

What is a SOC 2 audit?

A SOC 2 audit is an independent examination of a service organisation’s controls against the AICPA’s Trust Services Criteria. A licensed CPA firm tests how you protect customer data and issues an attestation report describing your systems, the controls and the auditor’s opinion.

Is SOC 2 a certification?

No. SOC 2 is an attestation, not a certification. There is no certificate or badge. The output is a report written by a CPA firm that customers read as evidence your controls are designed, and for a Type 2 operating, effectively.

Who can perform a SOC 2 audit?

Only a licensed CPA firm can perform a SOC 2 audit and issue the report, because the AICPA owns the framework and its attestation standards. A consultancy can help you prepare, but it cannot act as your auditor without compromising the independence the report depends on.

What are the Trust Services Criteria?

They are the five categories a SOC 2 audit assesses: Security (the Common Criteria), Availability, Processing Integrity, Confidentiality and Privacy. Security is mandatory in every report; the other four are selected based on the commitments you make to customers.

What is the difference between SOC 2 Type 1 and Type 2?

A Type 1 report examines whether controls are suitably designed at a point in time. A Type 2 report examines whether those controls operated effectively over a period, usually three to twelve months. Type 2 carries more weight with enterprise buyers because it shows the controls work over time.

How long does a SOC 2 audit take?

It depends on the report type and your readiness. A Type 1 is a snapshot and is quicker. A Type 2 is governed by the observation period you choose, often several months to a year, plus the readiness work beforehand, which is usually the longest part for a first-time audit.

How much does a SOC 2 audit cost?

There is no fixed price. Cost is driven by the number of Trust Services Criteria in scope, the size and complexity of your systems, whether it is a Type 1 or Type 2, how mature your controls already are, and the CPA firm’s fees. Readiness effort is usually the largest component.

What does a SOC 2 report contain?

A SOC 2 report describes the service organisation’s systems and scope, the controls in place against the criteria selected, the tests the auditor performed and the auditor’s opinion. For a Type 2 it also covers how the controls operated across the observation period. It is shared with customers under NDA.