How-to Playbook

How to prepare for a SOC 2 Type 2 audit

Type 2 tests whether your controls actually operated over months, not just existed on one day. Preparing means running the program, not cramming for it.

Talk to usFree to start - no card required.

Type 1 versus Type 2

AspectType 1Type 2
What it testsControls designed at a point in timeControls operating over a period
PeriodA single dateTypically 3 to 12 months
EvidenceControl designRepeated operation across the period
WeightA starting pointWhat most customers actually want
The two kinds of SOC 2 report

Type 2 is harder because you cannot fake a period. The auditor samples evidence across the whole observation window, so a control has to have genuinely operated month after month - which is why continuous evidence collection matters so much.

How to prepare

  1. 1Scope the Trust Services Criteria relevant to your service - security is required, others as applicable.
  2. 2Map each criterion to the controls that satisfy it.
  3. 3Remediate gaps before the observation period starts, not during it.
  4. 4Operate the controls consistently across the full period.
  5. 5Collect evidence continuously so the auditor sample is already there.
  6. 6Run a readiness check before the auditor arrives.

The Trust Services Criteria

  • Security - required in every SOC 2, covering protection against unauthorized access.
  • Availability - whether the system meets uptime commitments.
  • Processing integrity - whether processing is complete, valid, and accurate.
  • Confidentiality - protection of information designated confidential.
  • Privacy - how personal information is collected, used, and retained.

How SentriAI gets you audit-ready

  • SOC 2 evidence automation collects evidence continuously across the observation period.
  • Continuous control monitoring proves controls operated month after month, not just once.
  • A control-to-evidence mapping ties each Trust Services Criterion to living evidence.
  • An auditor portal lets the auditor sample from a tamper-evident record directly.

Frequently asked questions

What is the difference between SOC 2 Type 1 and Type 2?

Type 1 assesses whether controls are designed appropriately at a single point in time. Type 2 assesses whether they actually operated effectively over a period, typically three to twelve months. Type 2 is what most customers want, because it proves controls worked continuously rather than existing on one day.

How long is a SOC 2 Type 2 observation period?

Usually three to twelve months. A first report often covers a shorter window like three months, with subsequent reports covering a full year. During the period the auditor samples evidence throughout, so controls must genuinely operate the entire time - you cannot backfill a period after the fact.

What are the SOC 2 Trust Services Criteria?

They are the five categories a SOC 2 can cover: security, availability, processing integrity, confidentiality, and privacy. Security is required in every SOC 2; the others are included based on what you commit to customers. You scope which criteria apply and map controls to each.

How do I collect evidence for a SOC 2 Type 2?

Continuously, throughout the observation period, because the auditor samples across the whole window. Collecting evidence as controls operate - rather than gathering it at the end - means the sample the auditor needs already exists. This is exactly what continuous control monitoring and evidence automation are built to do.

Stay in the loop

One practical finance briefing a week - new guides, checklists, and benchmarks.

 

Pass Type 2 by running the program

SentriAI operates controls and collects evidence across the whole period. Free to start, no card required.

Talk to us