SOC 2 Readiness Assessment: What Auditors Check vs. What You Should Check
What a SOC 2 readiness assessment checks versus what you should check between audits, plus the operating checklist that keeps the report true year-round.
Learn more
Josh Zweig
July 2, 2026
In this article
The enterprise deal is sitting on someone's desk, waiting for a SOC 2 report you don't have yet. So you book a readiness assessment, an auditor walks your controls, and you get back a management letter listing the weaknesses to close before the real audit. That much is useful, and it's also where most lean teams stop. The assessment tells you what an auditor will look for at a single point in time, but it says almost nothing about the daily operational work that keeps the report true over the next twelve months.
SOC 2 trouble starts when controls exist in a policy, or appear green in a dashboard, but can't prove that they're operating continuously. Continuous automation is what closes that distance, keeping the controls enforced between audits. A readiness assessment only tells you where you stand on audit day, and staying there afterward is the harder, ongoing job.
What a SOC 2 Readiness Assessment Is
A SOC 2 readiness assessment, sometimes called a gap assessment, is a preliminary evaluation that a service auditor or qualified consultant runs to measure how prepared you are for the formal SOC 2 audit. It works like a practice test graded against the same criteria your real auditor will use. They review your documents, policies, and processes and flag the vulnerabilities while you still have time to fix them. The formal SOC 2 report is a separate engagement, and the readiness assessment usually comes first.
It's optional, and only especially useful if you're maintaining compliance manually. Expect a professional readiness assessment to run from a few thousand dollars into the low five figures and take several weeks for a small team, though the published costs vary widely by provider, scope, and environment. What you get back is a management letter that lists the weaknesses and lays out a remediation roadmap, and the remediation itself can take months if you're starting far from ready. If you have an automated security system like Zip, you can typically check for the same criteria yourself by consulting the compliance dashboard in your software. If you have specific concerns, or if your set-up is complex, it may be worth reaching out to an auditor for additional help.
If you do opt for a SOC 2 Readiness Assessment, settle scope before you commit. Your enterprise customers will often ask for Type II, which tests whether controls operated effectively over a period, along with whether they were designed correctly on one day. If your prospects are likely to demand Type II, paying for a Type I first may not be the best first spend.
What Auditors Check
The auditor's job is verification. Working from the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria, they examine how each control is designed and then test whether that design held up across the observation period, sampling evidence rather than reviewing every event. They can't fix anything they find, though, because independence requirements keep them in the role of evaluator; whatever they surface is yours to remediate.
During a readiness or gap assessment, auditors review:
- Scope and Trust Services Criteria selection. Confirm whether Security (the nine Common Criteria, CC1 through CC9) is in scope and whether Availability, Processing Integrity, Confidentiality, and Privacy also apply.
- Controls mapping. The spreadsheet that maps each control to a criterion, plus your management statement, system description, and policies.
- Policies and documentation. Missing policies, incomplete training records, controls that are only partially implemented.
- Evidence. Screenshots, logs, tickets, and approvals. Auditors look for dated evidence that controls were operating before fieldwork. You should expect questions wherever a criterion has no mapped control, no clear owner, or no dated evidence.
- A remediation roadmap. The prioritized list of what to fix and in what order.
Your program may include dozens of controls depending on which criteria are in scope. For each one, the auditor asks for evidence that it operated throughout the period, drawing on up to four auditor testing methods, ordered from the lightest touch to the most rigorous:
- Inquiry. Asking the control owner how something works.
- Observation. Watching the control happen.
- Inspection. Reviewing the artifacts and records the control produces.
- Re-performance. Independently re-running the control, like checking that a terminated employee's access was revoked.
Inquiry alone rarely satisfies an auditor, so the stronger methods come out for anything carrying real risk. For period-based testing, they pull a population of control activity and select samples from across the window.
Teams get caught when evidence cadence does not match policy cadence. If your policy says you run quarterly access reviews, the auditor expects dated records that match that quarterly evidence cadence. Run the review once, right before the audit, and that surfaces as an exception. The auditor samples across the whole window, reaching back well beyond the last few weeks before fieldwork.
Where Audits Fail
First-time SOC 2 audits tend to slip or pick up findings in the same few control areas, and the cause is rarely the tool you bought. CrowdStrike, Okta, and the rest do their jobs. What auditors flag is the operating record around them, where a control exists but nobody can show it ran when it was supposed to. The pattern repeats across access, change, monitoring, and vendor risk.
Access controls (CC6)
This is the area that draws findings first. The review often happens informally and leaves no dated record of who reviewed it, who approved continued access, or what changed, while deprovisioning lags behind departures. An employee who left keeps admin access well past their last day, against a policy that promises fast revocation, and that contradiction is what an auditor flags.
Change management (CC8)
The breakdown here is procedural. Approvals come apart when they aren't durable, so a quick "looks good, ship it" in chat is hard to defend in an audit unless it ties back to a ticket, a named reviewer, a timestamp, and a deployment record.
Incident response and monitoring (CC7)
These controls fail quietly, when the plan exists but was never tested, the tabletop results were never written down, or the monitoring runs with no record that anyone triaged the alerts.
Vendor risk (CC9.2)
An assessment needs scoring and documentation behind it, and an evaluation the team ran but never scored or wrote down won't satisfy the criterion. Signing the vendor is the easy part, and proving you evaluated them is the control.
Controls need dated evidence showing that they ran when they were supposed to run. A single late access review may be explainable, but a pattern of missed reviews across multiple systems over twelve months becomes much harder to defend.
What You Should Check: The Operating Work Behind the Evidence
The auditor checks your security controls. Keeping them running between audits is your job, and without the right system in place, second-year audits tend to go sideways in the space between the two. Your first audit might cover a three-to-six-month window, while your second looks back across a full twelve months, right when the pressure that drove your early discipline has faded and drift has crept in. Audit firms describe this shift from shorter first windows to annual cycles as a familiar pattern. There's no remediation period once a failure lands in that look-back, so it goes onto the report, and you explain it to customers at renewal.
So your operating checklist looks different from the auditor's. It runs on a recurring cadence, and its job is to surface drift while you still have time to fix it, long before an auditor would see it. While we'd recommend working with an automated security system that continuously checks and enforces your controls for you, a workable rhythm for a lean team running security manually might look like:
| What to Check | How Often |
|---|---|
| Endpoint coverage and encryption status | Monthly |
| Authentication logs retained for audit review | Monthly |
| Access reviews with reviewer sign-off | Quarterly |
| Configuration drift checks | Weekly |
| Vulnerability scans | Monthly (external), quarterly (internal) |
| Security training completion | Track continuously, verify monthly |
Access reviews deserve special attention, because they're both the control that fails most often and the one that rarely leaves a clean record when it does. Run them quarterly with manager and system owner sign-off, and keep four dated sets a year. Get that one right and you've closed a weakness many teams carry.
Continuous monitoring surfaces issues before they become audit findings. Point-in-time checks miss configuration drift, which then tends to stay hidden until right before the audit, when fixing it is most stressful and most expensive.
Compliance Comes From Security
Compliance is a continuous operating posture, and security is what keeps your customers and contracts protected every day. The SOC 2 report just documents that the security held. Companies that confuse the two treat the audit as a sprint, pass it, take their foot off the gas, and watch year two fall apart.
That second-year collapse usually comes from leaning on one layer of protection and neglecting the others. Every SOC 2 control falls into one of three classes of safeguards, and seeing all three keeps you honest about what you have to build:
- Technical safeguards. Data-at-rest encryption, multi-factor authentication (MFA), device management, Endpoint Detection and Response (EDR), identity controls, and audit logging. These commonly support SOC 2 logical access and system operations controls.
- Process safeguards. Change control, review gates, vendor risk cadences, evidence-collection rhythms, incident response runbooks. The classic example is the rule that before this thing ships, two people approve it.
- People safeguards. Background checks, security training, role-based access, formal onboarding and offboarding.
A technical-only program leaves you exposed. In year two, companies usually struggle with the process scaffolding that keeps controls in place between audits and the people scaffolding that holds discipline as the team grows and turns over. A program that handles only technical drift is missing two-thirds of the failure surface.
Governance, risk, and compliance (GRC) platforms hit their limit here. Tools like Vanta and Drata read your security state and turn it into audit-ready dashboards, which is genuinely useful, and when a control fails, they flag it rather than fix it. A passing dashboard for a control that was never deployed is worse than no dashboard at all, because it feeds a false signal into your customer's diligence. They can show you the state of your controls, but keeping that state true is work that happens underneath them.
Where the Technical Layer Gets Handled Automatically
Of the three classes, the technical safeguards are the ones that should run without you thinking about them. They're also the layer most prone to quiet drift, where an EDR agent stops communicating with the console or a recovery key never gets retained for audit evidence, and nothing surfaces it until fieldwork. Keeping that layer enforced every day is what a Built and Managed Security Platform (BMSP) like Zip Security is built for.
Zip deploys, configures, and runs tools like Jamf, Microsoft Intune, CrowdStrike, and Okta from one platform, turning the framework into concrete, enforceable controls across macOS and Windows. When something drifts, Zip applies self-healing security or routes an actionable alert, then logs the fix with a timestamp. The controls you launched with stay enforced on day 300, so "what was running on day X" is a system query instead of a guess.
Process and people safeguards stay with you, often supported by a fractional or virtual security lead or an operations lead. Zip enforces the technical layer and produces the evidence, while the change-control gates, the documented offboarding workflow, and the training records are yours to run. That honesty is deliberate, because a platform that claimed to handle all three would fall apart the first time an auditor asked a follow-up question.
The Bottom Line
The readiness assessment shows you what an auditor checks. Your job is the harder, quieter work of keeping the controls operating and the evidence accumulating, every week between audits. When the technical layer enforces and proves itself automatically, you get to spend your attention on the Process and People work that machines can't do, and your second audit looks like your first.
That same readiness pays off past the audit. A clean SOC 2 report shrinks the security questionnaires large buyers still send, and the rest comes down to having a packet ready before they ask. When the controls underneath are enforced and the evidence pulls from live system state, that packet assembles itself instead of triggering a two-week scramble.
See how lean teams keep SOC 2 controls enforced year-round without a security hire. Get a quote and see how teams get secure in 14 days or less.
Frequently Asked Questions
How much does a SOC 2 audit cost?
Audit fees vary by company size, scope, criteria selected, auditor, and whether you're pursuing Type I or Type II. For a small company, the budget usually needs to cover readiness, policy work, tooling, evidence collection, and the audit itself, well beyond the auditor's invoice alone.
How long does a SOC 2 audit take?
Type I is usually measured in months. Type II takes longer because the controls have to operate across an observation period before the auditor can test them. Plan to start well before the deal that's forcing the timeline.
Why is the second audit harder than the first?
The observation window expands from a few months to a full twelve, so there are many more months of evidence in which an exception can appear. There's no remediation period once a failure lands in the look-back, so the control has to operate continuously rather than get cleaned up right before fieldwork.
Do GRC platforms make us compliant?
They make you visible by reading state and producing evidence. The underlying controls still need enforcement, and drift still needs a human owner.
In this article
Get started with Zip
Learn more about Zip's MDM, EDR, IT, and Compliance solutions and we'll find the right fit for you.
Learn more
Questions about this article? Get in touch with our team below.


