SOC 2 readiness vs. audit and why your MSP doesn't do audits

“Do you do SOC 2?” is one of the most common questions we hear from a growing software or services company. The answer is not a clean yes or no, and the fuzziness inside that answer is where most SOC 2 projects go sideways.

SOC 2 is not one thing. It is two distinct engagements, executed by two distinct firms, with different incentives and different deliverables. Understanding that split is the difference between a SOC 2 project that produces a clean report on schedule and one that wastes 6 months and comes back with a qualified opinion.

What are the two SOC 2 engagements and why are they different?

A SOC 2 project has two distinct engagements: readiness and audit. Readiness is the work of building and operating the control environment, typically 3 to 9 months. Audit is the work of evaluating that environment and issuing the attestation report, performed by a licensed CPA firm. Different firms, different deliverables, different professional responsibilities.

A SOC 2 project, done correctly, has two parts.

Readiness. The work of building, documenting and operating the control environment the audit will evaluate. Timeframe: 3 to 9 months. Done by the company’s internal team, a specialist consultancy or an MSP that handles the operational side.

Audit. The work of evaluating the control environment and issuing the attestation report. Timeframe: a few weeks of auditor fieldwork, plus a report-production cycle. Done by a licensed CPA firm.

These are separate contracts, separate firms, separate deliverables and, critically, separate professional responsibilities.

Can the same firm do SOC 2 readiness and audit?

No. AICPA independence standards prohibit the audit firm from having a material role in designing, operating or maintaining the control environment they audit. The firm that builds your SOC 2 program cannot issue the report. The firm that issues the report cannot have built the program. Some firms blur the line. Clean projects respect the split.

AICPA independence standards prohibit the audit firm from having a material role in designing, operating or maintaining the control environment they are auditing. The rule exists because an audit that assesses your own work is not an independent assessment.

In practice this means:

• The firm that builds your SOC 2 program cannot issue the SOC 2 report.
• The firm that issues the SOC 2 report cannot have built your program, operated it on your behalf or provided material advisory services on the controls they are testing.

Some firms advertise “SOC 2 end to end” and then subcontract one side of the work to stay on the right side of the rule. Some firms blur the line intentionally and then hope the independence review does not surface it. Clean projects respect the split up front.

What does a SOC 2 readiness engagement actually deliver?

A readiness engagement produces the material the audit will sample. That includes scoping decisions, a control-by-control gap assessment, remediation of weak controls, written policies and procedures, evidence accumulation across the observation period and a pre-audit review. Skipping the readiness work and going straight to audit is a predictable way to burn audit fees.

A real readiness engagement produces the material the audit will sample. That usually means:

• Scoping. What systems and data are in the audit boundary. What Trust Services Criteria apply. What is explicitly carved out.
• Gap assessment. A control-by-control inventory of the current state against the audit standard, with each gap flagged.
• Remediation. Building or hardening the controls that are missing or weak. Multi-factor authentication, logging, access reviews, change management, vendor risk, incident response.
• Documentation. Written policies, procedures and system descriptions. The auditor needs these to write the system-description section of the report.
• Evidence accumulation. Operating the controls for long enough to produce the artifacts the auditor will sample. For a Type II report, this is the observation period, usually 3 to 12 months.
• Pre-audit review. A mock audit against the audit standard to catch issues before the auditor does.

Skipping the readiness work and going straight to audit is a predictable way to burn audit fees. The auditor arrives, finds gaps, issues a qualified opinion or requests a remediation cycle that delays the report by several months.

What does the SOC 2 audit firm actually do?

The audit firm evaluates whether the control environment is designed appropriately (Type I) or operating effectively over a period (Type II). They review the system description, test control design, sample evidence across the observation period for Type II, document findings and issue the opinion. They do not build controls, write policies or remediate gaps.

The audit firm evaluates whether the control environment is designed appropriately (Type I) or operating effectively over a period (Type II). In practice:

• Reviews the system description the company provides.
• Tests the design of controls. “If this control were operating as described, would it address the relevant risk.”
• Tests the operation of controls, for Type II. Sampling evidence across the observation period.
• Documents findings, discusses with management and issues the opinion.

The audit firm does not build controls. Does not write policies. Does not operate the security program. Does not remediate gaps on the company’s behalf. Those are all readiness activities, and they are the reason the two roles are separate.

Where do GRC tools like Vanta, Drata or Secureframe fit in a SOC 2 project?

GRC platforms automate evidence collection once the control environment exists. Used well they save weeks of manual evidence work. Used badly they create a misleading sense of readiness because the platform measures configuration while the auditor measures operation. A platform can show 94 percent passing controls while the audit produces 15 findings.

Vanta, Drata, Secureframe, Thoropass and similar GRC platforms have changed the SOC 2 market meaningfully in the last 5 years. Used well, they automate a significant portion of evidence collection once the control environment exists.

Used badly, they create a misleading sense of readiness. The platform marks controls as “passing” based on automated checks that prove the control exists in configuration. The auditor is evaluating whether the control is operating effectively against the criteria, which is a different question. A platform can show 94% passing controls while the audit produces 15 findings, because the platform is measuring configuration and the auditor is measuring operation.

The practical role of a GRC tool in a SOC 2 project:

• Excellent for continuous evidence collection once the program exists.
• Useful for policy template starting points, though templates often need substantial revision to reflect the actual environment.
• Not a substitute for a real readiness engagement.
• Not a substitute for an audit.

How long does a first SOC 2 project take and how is it sequenced?

A first SOC 2 project typically runs 9 to 12 months from kickoff to issued report. Months 1 to 3 cover scoping and gap assessment, months 3 to 6 cover remediation and policy work, the audit firm is selected in month 4 or 5, evidence accumulates through month 9 and audit fieldwork plus report runs through month 12.

A defensible sequence for a company pursuing its first SOC 2 report:

1. Month 0. Named program owner internally. Decide Type I, Type II or Type I followed by Type II. Select a readiness partner.
2. Months 1 to 3. Scoping, gap assessment, initial remediation. GRC tool selected and configured if being used.
3. Months 3 to 6. Control operation, policy finalization, evidence accumulation.
4. Month 4 or 5. Select audit firm. (Timing matters. Selecting too early ties your readiness scope to that auditor’s preferences. Selecting too late delays the engagement.)
5. Months 6 to 9. Continued operation, pre-audit review, mock walkthrough.
6. Months 9 to 12. Audit fieldwork. Report issuance.

A shorter sequence is possible for a company that is already operating controls at audit-ready maturity. That is uncommon for a first-time SOC 2 project.

Where Atticus Rowan fits

We guide companies preparing for SOC 2 Type I and Type II audits, building the control environment, operating it long enough to produce the evidence the auditor needs and coordinating with the SOC 2 audit firm. We are not a SOC 2 audit firm ourselves; we are the MSP that makes the audit reach a clean opinion.

The practical shape of the engagement depends on the starting point. A company with no documented program and a 9-month runway to first audit needs a different engagement than a company with a mature but undocumented environment and a compressed 3-month runway. Both are workable. The scoping conversation at the beginning is where the shape of the project is decided.

What should I ask before signing a SOC 2 readiness or audit contract?

Three questions tend to expose where a proposed SOC 2 project will go sideways. First, who is the audit firm and are they independent of every firm involved in readiness work? Second, what is the evidence accumulation period before the audit opens fieldwork? Third, what happens if the audit produces a qualified opinion?

Three questions that tend to expose where a proposed SOC 2 project will go sideways.

• Who is the audit firm, and are they independent of every firm involved in the readiness work. If the proposed audit firm is part of the same company as the readiness firm, the independence structure needs to be explicitly explained.
• What is the evidence accumulation period before the audit opens fieldwork. A Type II audit against a 3-month observation period is defensible. A Type II audit against a 30-day observation period will be weak.
• What happens if the audit produces a qualified opinion. A serious readiness partner will have a remediation-cycle answer. A weak readiness partner will have excuses.

If your company is pursuing SOC 2 for the first time and you want a clear read on how to sequence readiness and audit without burning budget or calendar, schedule a discovery call. We can scope the readiness work against your deal pressure and your runway.