← Docs

Recipe: SOC2 audit prep checklist

A step-by-step guide to preparing your SaaS for a SOC2 Type II audit without losing your mind.

1. Define your trust services criteria

Pick the TSCs that matter: Security is mandatory. Availability, confidentiality, processing integrity, and privacy are optional add-ons. Most startups start with Security-only.

2. Scope your system boundary

List every service, database, CI pipeline, monitoring tool, and third-party vendor that touches customer data. If it is in scope, it needs controls.

3. Inventory your controls

Map existing controls to the TSCs. Common gaps: access reviews, offboarding procedures, backup testing, and change management documentation.

4. Collect evidence for 3–6 months

Auditors need a lookback period. Start collecting screenshots, logs, and policy acknowledgments now. Automate evidence collection where possible.

5. Run a readiness assessment

Hire a CPA firm for a gap analysis before the real audit. They will flag missing controls so you can fix them without a qualified opinion.

6. Schedule the audit window

Type II audits cover a period (usually 6–12 months). Book the fieldwork 4–6 weeks out and block engineering time for evidence requests.

Need help automating evidence collection? Talk to our team.