SOC 2 Audit Readiness Workspace: From Scoping to Internal Audit in 9 Steps

You: DataVault Technologies is a B2B SaaS company providing secure document management and collaboration. We’re based in Austin, TX with 120 employees. We run on AWS (us-east-1 and eu-west-1), use Okta for IAM, GitHub for source control, Datadog for monitoring, and Stripe for billing. We have 99.9% uptime SLAs with enterprise customers and are subject to SOC 2. Sarah Chen is our CISO, Michael Torres is CTO.

Agent: I’ve drafted the organization profile. Let me run the boundary validator and CUEC mapper.

The boundary validator found 1 error and 1 warning:

• [ERROR] No CSOCs defined — you have 3 carved-out subservice organizations (AWS, Datadog, Stripe) but haven’t documented the controls you assume are in place at each. I’ll need those before this passes.
• [WARNING] No out-of-scope items defined. Explicitly stating exclusions helps auditors and prevents scope creep.

The CUEC mapper flagged that no CUECs are defined yet. What responsibilities do your customers have for securing their use of DataVault?

You: Customers must enforce MFA for admin accounts, decommission users when employees leave, configure IP allowlisting for restricted access, report suspected security incidents within 24 hours, and maintain the security of documents before upload.

Agent: I’ve added 5 CUECs and defined CSOCs for all three carved-out vendors. Both validators now pass — boundary validator reports PASS with all 9 checks satisfied, and the CUEC mapper confirms all 5 CUECs are specific (minimum 50 characters) and mapped to TSC categories.

I’ve saved organization-profile.json and updated the dashboard: Organization Profile complete, TSC categories in scope are Security (CC) and Availability (A), audit type is Type II.

You: Draft the system description for our SOC 2 Type II audit. The audit period is July 1, 2025 through June 30, 2026.

Agent: I’ve loaded the organization profile and started the system description. Let me gather the remaining details for the five system components.

I need to understand your infrastructure beyond AWS — databases, caching, CDN, networking. Also your application stack, CI/CD pipeline, and data types processed.

You: AWS runs everything: RDS PostgreSQL, ElastiCache Redis, ALB, CloudFront CDN, S3 for document storage. Our app is Node.js/React deployed via GitHub Actions. We store customer documents, user profiles, collaboration metadata, and audit logs. Change management goes through PR reviews with required approvals and automated security scans.

Agent: I’ve built the system description JSON and run the completeness checker. Two errors found:

• [ERROR] Missing CUECs in the description narrative — I can pull these from the organization profile automatically.
• [ERROR] Control environment narrative doesn’t cover CC1–CC9 yet. I’ll draft the governance, risk assessment, information, and monitoring sections now.

After adding CUECs from the profile and drafting the CC1–CC9 control environment, the completeness checker now passes with 0 errors. The trust services scope validator confirms Security (CC) and Availability (A) are properly scoped.

I’ve saved the system description to output/datavault-soc2-system-description.md — 18 pages covering all AICPA-required sections.

You: Conduct the risk assessment based on our organization profile. We should cover all TSC domains for Security and Availability.

Agent: I’ve established the 5×5 risk methodology with an appetite threshold of 12. Using the 12 TSC risk domains, I’ve identified 11 risks across Security (CC1–CC9) and Availability (A1). Let me run the validation suite.

The risk-to-TSC mapper confirmed all 11 risks map to valid criteria. However, it flagged 2 in-scope criteria with no associated risk: CC4.2 (evaluating and communicating deficiencies) and A1.3 (recovery). I’ll add risks for those.

After adding 2 more risks (13 total), the control gap identifier found 3 criteria where risks exist but no controls are mapped: CC3.4 (fraud risk), CC8.1 (change management for infrastructure), and A1.2 (capacity planning). These need controls assigned.

Once controls are mapped, the residual risk validator confirmed all entries pass — residual ≤ inherent, all risks above appetite have treatment decisions, and accepted risks have documented rationale.

You: Run the gap analysis against our controls inventory and TSC criteria.

Agent: I’ve loaded the controls inventory and run the TSC mapping engine. Coverage: CC 82%, A 67%. There are 5 unmapped criteria — including CC4.2 (evaluating deficiencies), A1.2 (capacity), and A1.3 (recovery).

The evidence artifact validator found 4 implemented controls missing a Test of Effectiveness and 2 controls with no evidence artifacts at all. I’ve built the remediation roadmap:

• Phase 1 (Immediate): Map missing CC criteria and add Tests of Effectiveness for the 4 controls
• Phase 2 (Short-term): Address Availability gaps — capacity planning procedure and disaster recovery testing
• Phase 3 (Pre-audit): Complete evidence collection for all controls and run full validation

You: Draft control narratives for all in-scope criteria — CC1–CC9 and A1.

Agent: I’ve created soc2-control-narratives.md with sections for each criterion. For CC6 (Logical and Physical Access), I’ve described Okta SSO with MFA enforcement, RBAC via AWS IAM, quarterly access reviews, and 24-hour termination deprovisioning. Evidence placeholders reference your Okta configuration export, access review report, and HR offboarding checklist.

Let me run the TSC coverage checker. Result: all 10 major criteria referenced (CC1–CC9, A1). Two warnings — CC4 and CC7 need clearer evidence references. I’ll add the specific Datadog monitoring dashboard and the deficiency reporting procedure as evidence.

After revision, all checks pass. Each criterion has a narrative and at least one evidence reference.

You: Generate all required policies for our SOC 2 engagement.

Agent: I’ve generated 8 core policies based on your organization profile and risk register:

1. POL-001 Information Security Policy — Governance, roles, commitments (CC1, CC2)
2. POL-002 Access Control Policy — Logical/physical access, MFA, RBAC (CC6)
3. POL-003 Change Management Policy — PR reviews, CI/CD, rollback (CC8)
4. POL-004 Incident Response Policy — Detection, triage, notification (CC7)
5. POL-005 Risk Assessment Policy — Methodology, treatment, monitoring (CC3, CC9)
6. POL-006 Vendor Management Policy — Third-party risk, SOC reports (CC9)
7. POL-007 Business Continuity Policy — BCP/DRP, RTO/RPO (A1)
8. POL-008 Data Classification Policy — Classification levels, handling (CC6, C1)

The policy completeness checker ran on each: 7 passed, POL-004 had a warning — the incident notification SLA says “promptly” instead of a specific timeframe. I’ve updated it to “within 72 hours of confirmation” to match your service commitments.

The policy TSC mapper shows 100% coverage of in-scope criteria across the 8 policies. All policies reference named roles (Sarah Chen as CISO, Michael Torres as CTO) and actual systems (Okta, AWS, GitHub).

You: Build the vendor management program based on our organization profile.

Agent: I’ve identified 5 vendors from the organization profile and extended the list with 3 additional third parties that have data access. Running the vendor risk scorer now.

Tier classification:

• Critical: AWS (hosts all customer data and infrastructure), Okta (controls authentication)
• High: GitHub (source code access), Stripe (payment data processing)
• Medium: Datadog (infrastructure monitoring, log ingestion), SendGrid (email delivery)
• Low: Calendly (scheduling), Notion (internal documentation)

The SOC report review checker found:

• AWS, Okta, GitHub, and Stripe all have current SOC 2 Type II reports (< 12 months) — PASS
• Datadog has a SOC 2 report but it expires next month — WARNING, flag for renewal tracking
• SendGrid SOC 2 report is current — PASS
• CSOCs from the system description are validated against the vendor controls described in their reports — PASS

I’ve produced the Vendor Risk Assessment Framework, Vendor Register, and Vendor Security Requirements documents.

You: Build the control testing plan for our Type II audit period (July 2025 – June 2026).

Agent: I’ve built the testing plan covering all 13 in-scope TSC criteria. Each control has a defined testing method, frequency, tester, and expected evidence. Let me validate.

The test plan validator confirmed all criteria have at least one tested control. One warning: CTRL-AC-003 (access reviews) is tested only by inquiry — I’ve upgraded it to inspection + reperformance (re-execute a sample of quarterly access reviews independently).

The evidence coverage checker shows 85% coverage — 3 controls are still pending evidence collection. Evidence strength is adequate: 60% inspection/reperformance, 30% observation, 10% inquiry (always combined with another method).

The exception tracker found 2 existing exceptions:

• EXC-001 (Minor): One quarterly access review was completed 5 days late. Root cause: reviewer on PTO. Remediation: backup reviewer assigned.
• EXC-002 (Moderate): Backup restoration test not performed in Q3. Root cause: infrastructure team transition. Remediation: scheduled for Q4 with documented procedure.

Both exceptions have remediation plans, owners, and target dates — all checks pass.

You: Conduct the internal readiness audit for our SOC 2 Type II engagement.

Agent: I’ve loaded all prior artifacts — organization profile, system description, risk register, gap analysis, control narratives, 8 policies, vendor register, testing plan, and evidence matrix. Let me draft the audit plan and run validation.

The audit plan validator confirmed: all 13 in-scope TSC criteria are covered, audit period matches the engagement (July 2025 – June 2026), auditor independence is documented, and sampling methodology is defined.

I’ve completed control testing. Three findings identified:

FIND-001 (Backup Verification, A1.2): Significant Deficiency. DR test was not performed in Q3 2025 — the control exists but didn’t operate effectively during the period. Root cause: infrastructure team transition. Recommendation: complete DR test immediately and implement automated scheduling.

FIND-002 (Access Review Timeliness, CC6.3): Deficiency. One of four quarterly access reviews was completed 5 days late. Control operated but not within the defined timeline. Recommendation: assign backup reviewer for PTO coverage.

FIND-003 (Vendor SOC Report Tracking, CC9.2): Observation. Datadog SOC 2 report approaching expiration with no automated renewal tracking. Recommendation: implement vendor certification expiration alerts.

The finding severity classifier confirmed all classifications are consistent with AICPA guidance. The evidence organizer mapped all evidence to TSC criteria — 2 criteria have evidence gaps that need attention before the external audit.

Overall readiness: Conditionally Ready. No material weaknesses. One significant deficiency (FIND-001) has an active remediation plan. Recommend completing DR test and evidence collection before engaging the external auditor.