How to Prepare for a SOC 2 Audit: A 2026 Readiness Guide

We already publish a focused guide on the testing piece — SOC 2 pentest prep — so this post deliberately stays on the audit-readiness side: the controls, the evidence, the auditor relationship, and the calendar. If you only need to know how to scope the pentest, start there. If you need to understand the whole audit you are walking into, keep reading. For the one-paragraph definition, the SOC 2 glossary entry has it.

SOC 2 is built on five Trust Services Criteria. Only the first is mandatory; the rest are opt-in based on what you promise customers.

• Security (Common Criteria). Mandatory. The bulk of the audit. Covers access control, change management, risk assessment, monitoring, and incident response.
• Availability. Uptime, redundancy, backup, and disaster recovery. Add it if you make SLA promises.
• Processing Integrity. Data is processed completely and accurately. Relevant for payments, billing, or data pipelines.
• Confidentiality. Data designated confidential is protected. Common for B2B SaaS.
• Privacy. Personal information is handled per your notice. Add only if you genuinely process consumer PII.

The single most expensive mistake here is adding categories you cannot produce evidence for. Scope Security plus only what your customers actually demand. Then define the system boundary — the production services, data stores, and infrastructure in scope — because your pentest scope and your evidence scope both flow from it.

Controls are the things you do; policies are the documents that say you do them. Auditors check that both exist and that reality matches the paper. The control families that carry most of a SOC 2:

• Access control. SSO, MFA, least privilege, and quarterly access reviews with records.
• Change management. Pull requests reviewed and approved, CI gates, and a clear path from code to production.
• Risk assessment. A documented annual risk assessment and a risk register.
• Monitoring and vulnerability management. Logging, alerting, vulnerability scanning, and the annual penetration test (covered in Step 4).
• Vendor risk management. Reviews of your subprocessors and critical vendors.
• Incident response. A runbook, defined roles, and evidence you have tested it.
• HR and training. Background checks where lawful, onboarding/offboarding, and security-awareness training.

The technical controls overlap heavily with good engineering. Our cybersecurity services for SaaS startups guide covers the security work a young company needs anyway, most of which doubles as SOC 2 evidence.

Auditors do not grade your intentions. They sample. They pick a date range and ask you to demonstrate that a control operated for specific instances within it. Evidence that survives sampling looks like this:

For Type II this is the whole game: the control must operate throughout the observation period, so a retroactive scramble in the final week does not work. A compliance platform (Vanta, Drata, Secureframe, Thoropass) automates much of the collection by connecting to your cloud, identity provider, and code host — but it organizes evidence you produce, it does not produce it.

SOC 2 never says "pentest," but auditors read the monitoring and risk-assessment criteria (CC4.1 and CC7.1) as requiring annual penetration testing with a closed remediation loop. The pentest is one control — important, but not the audit. The mistake founders make is treating it as a last-minute checkbox instead of an early input.

Schedule the test so there is time to remediate and retest before a Type I date or within the first quarter of a Type II observation period. The auditor wants to see a finding-to-fix cycle, not a single snapshot. Make sure the pentest scope matches the system boundary from Step 1 — if your system description says "all production services" but the pentest only covered the marketing site, that is a finding against you.

We cover the scoping mechanics, cost ranges, and the fourteen common mistakes in the dedicated SOC 2 pentest prep guide. For the engagement itself, see the penetration testing service and the web app pentest page. A report that maps findings to MITRE ATT&CK signals methodology depth that auditors increasingly look for.

Before the formal audit, run a readiness assessment — a gap analysis against the criteria, done by your compliance platform, a consultant, or the audit firm's advisory arm. It tells you which controls are missing or under-evidenced while you still have time to fix them. Going into the real audit without one is how companies burn an audit cycle on findings they could have closed quietly.

The audit itself must be performed by a licensed CPA firm — that is a non-negotiable requirement of SOC 2, which is an AICPA attestation. The firm conducts fieldwork, samples your evidence, may interview control owners, documents exceptions, and issues the report. For a Type II, the report describes how controls operated across the period and lists any exceptions with management responses.