SOC2 Audit Planning



When planning a SOC2 audit you have to ensure that all stakeholders are in agreement with participating in this audit.  Then you can start planning the audit.  You have two choices:

  • Hire the audit firm to create the control framework and also conduct the audit.
  • Your internal team creates the control framework and the audit firm conducts the audit against those controls.

In my eyes, the second option saves a lot of money and control owner fatigue, provided you have internal staff capable of undertaking these activities.


It is highly recommended that SOC2 Audit Planning team considers following areas below.

Trust Services Criteria

Previously called Trust Services Principles & Criteria, the new name is Trust Services Criteria.

Decide on which Trust Services Criteria to include

  • Security: The system is protected against unauthorized access, use, or modification
  • Availability: The system is available for operation and use as committed or agreed
  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized
  • Confidentiality: Information designated as confidential is protected as committed or agreed
  • Privacy: The system’s collection, use, retention, disclosure, and disposal of personal information are in conformity with the commitments in the service organization’s privacy notice and with criteria set forth in the Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CICA

Key Business Areas

To ensure the success of this audit, ensure following stakeholders are in agreement with participating in this audit.

  • Business line VP
  • Product managers
  • Human resources
  • Change management
  • Corporate security
  • Incident Management(both technical and security)
  • Network Support
  • Server Support
  • Database Support
  • Storage Support


Audit Artifacts

Once you have identified all the stakeholders and you have their buying following items should be completed.

  • System description should be created by the product managers as it should outline what the system being audited does. The information should be enough to describe the system to the external party who is consuming the service and aligns with whatever service you are offering.
  • Control framework should be designed with input from the control owners. Controls owners must be informed that this audit focus is on Design and Operating effectiveness of the controls.  Hence the controls must be designed in such a manner that they can also be operated without any issues addressing the requirement. Once the controls are designed, the operational documentation will need to be created and team members trained to operate the control as documented.  This whole activity of control design and implementation can take upwards of six months in a large organization.



It is crucial that the control framework and system description are key to the success of your audit if you can ensure these are done correctly, half of the battle is already been won. Since this is going to be the year one of the audit, a SOC2 Type 1 will be conducted, where design effectiveness of the controls is required. To avoid year two becoming a challenge ensure that the teams start operating the controls as soon as they are designed.