# SOC 2 Internal Audit > Conduct an internal readiness audit for SOC 2 certification. Tests controls per TSC criteria, classifies findings by AICPA severity (Material Weakness, Significant Deficiency, Deficiency, Observation), organizes evidence for auditor handoff, tracks management responses, and produces a readiness assessment. The capstone skill that determines whether the organization is ready to engage an external auditor. Tags: Compliance, Security, SOC 2, Audit, AICPA, Internal Audit, GRC ## Example Prompts - Conduct an internal readiness audit for our SOC 2 Type II engagement - Test our controls against all in-scope TSC criteria - Classify our audit findings by AICPA severity guidance - Produce a readiness assessment before engaging the external auditor URL: https://rakenne.app/skills/soc2-internal-audit/index.md Try this skill: https://rakenne.app/a/?skill=soc2-internal-audit ## Overview Conduct an internal readiness audit for SOC 2 certification. Tests controls per TSC criteria, classifies findings by AICPA severity (Material Weakness, Significant Deficiency, Deficiency, Observation), organizes evidence for auditor handoff, tracks management responses, and produces a readiness assessment. The capstone skill that determines whether the organization is ready to engage an external auditor. The internal audit is the final checkpoint — it simulates the external auditor's approach to determine readiness. It pulls from all prior artifacts (organization profile, system description, risk register, gap analysis, control narratives, policies, vendor register, testing results) to conduct a comprehensive evaluation. The readiness conclusion — Ready, Conditionally Ready, or Not Ready — tells you whether it's time to engage the external auditor or address remaining gaps first. ## Getting Started Complete as many of the prior SOC 2 skills as possible before running the internal audit — organization profile, system description, risk assessment, gap analysis, control narratives, policies, vendor management, and monitoring & testing. Then activate the *SOC 2 Internal Audit* skill. The agent loads all prior artifacts, drafts the audit plan, tests controls, classifies findings, and produces the readiness assessment. ## Example Conversation Below is an example of how a typical internal audit session unfolds. The agent loads all prior artifacts, validates the audit plan, tests controls, and classifies findings per AICPA severity guidance. > **You:** Conduct the internal readiness audit for our SOC 2 Type II engagement. All 8 prior skills have been completed. > > **Agent:** I've loaded all prior artifacts: > - Organization profile (DataVault Technologies, Security + Availability, Type II) > - System description (18 pages, Section III narrative) > - Risk register (15 risks, all treated) > - Gap analysis (5 gaps identified, 3 closed) > - Control narratives (36 criteria covered) > - 8 policies (POL-001 through POL-008) > - Vendor register (8 vendors, all assessed) > - Testing plan (22 controls), evidence matrix (86% collected), exception tracker (2 exceptions) > > Drafting the audit plan now. *[Runs audit_plan_validator]* Results: > - All 36 in-scope TSC criteria covered ✓ > - Audit period matches engagement (July 2025 – June 2026) ✓ > - Auditor independence documented (Lisa Park — not involved in control design or operation) ✓ > - Sampling methodology defined (population-based per AICPA guidance) ✓ > - AICPA standards referenced (AT-C 105, AT-C 205) ✓ > > Now testing controls per criteria. Testing complete — 3 findings identified. > > *[Runs finding_severity_classifier]* Classification: > > **FIND-001** — Backup Verification (A1.2): **Significant Deficiency.** > - Criteria: A1.2 (environmental protections, recovery infrastructure) > - Condition: DR test was not performed in Q3 2025 > - Cause: Infrastructure team transition — 2 SREs departed in August > - Effect: Cannot demonstrate recovery capability for 3 months of the audit period > - Recommendation: Complete DR test immediately; implement automated scheduling > > **FIND-002** — Access Review Timeliness (CC6.3): **Deficiency.** > - Criteria: CC6.3 (restrictions on access) > - Condition: Q2 access review completed 5 days past deadline > - Cause: Reviewer on PTO without designated backup > - Effect: Limited — review was completed, just late. No unauthorized access detected. > - Recommendation: Assign backup reviewer; calendar alerts for review deadlines > > **FIND-003** — Vendor SOC Report Tracking (CC9.2): **Observation.** > - Criteria: CC9.2 (vendor risk management) > - Condition: Datadog SOC 2 report approaching expiration without automated tracking > - Cause: No vendor certification renewal alerting process > - Effect: No current impact — report still valid. Risk of lapsed coverage. > - Recommendation: Implement vendor certification expiration alerts in tracking system > > All finding classifications consistent with AICPA severity guidance ✓ > > **You:** Organize the evidence and give me the readiness assessment. > > **Agent:** *[Runs evidence_organizer]* Evidence mapped to all 36 TSC criteria and 22 controls. Two criteria have evidence gaps: A1.2 (missing Q3 DR test) and A1.3 (DR recovery time logs incomplete). I've produced the evidence summary for auditor handoff. > > **Overall Readiness: Conditionally Ready.** > - No material weaknesses identified > - 1 significant deficiency (FIND-001) with active remediation plan — DR test scheduled for November > - 1 deficiency (FIND-002) with corrective action already implemented (backup reviewer assigned) > - 1 observation (FIND-003) — improvement opportunity, not blocking > - Evidence 86% complete — 2 gaps to address before external audit > > **Recommendation:** Complete the DR test and evidence collection for A1.2/A1.3, then engage the external auditor. Expected timeline to "Ready" status: 4–6 weeks. > > I've saved the Internal Audit Plan, Internal Audit Report, and Management Response Tracker. Dashboard updated: 3 findings total (0 Material Weakness, 1 Significant Deficiency, 1 Deficiency, 1 Observation), 100% management response rate, audit readiness "Conditionally Ready". ## Sample Output Excerpt Below is a representative excerpt from the internal audit report, showing the findings summary and TSC criteria testing results. --- ### Executive Summary DataVault Technologies completed an internal readiness audit for SOC 2 Type II covering the period July 1, 2025 through June 30, 2026. The audit tested controls addressing 36 in-scope Trust Services Criteria (Security CC1–CC9, Availability A1.1–A1.3). **Readiness Assessment: Conditionally Ready.** Three findings were identified: one Significant Deficiency (DR test gap), one Deficiency (access review timeliness), and one Observation (vendor tracking improvement). No material weaknesses were found. Management has responded to all findings with action plans and target dates. The organization should complete DR testing and evidence collection before engaging the external auditor. ### Findings Summary | ID | Criteria | Severity | Status | Target Date | |:---:|:---|:---|:---|:---| | FIND-001 | A1.2 | Significant Deficiency | Open — DR test scheduled | 30 Nov 2025 | | FIND-002 | CC6.3 | Deficiency | Resolved — backup reviewer assigned | Immediate | | FIND-003 | CC9.2 | Observation | Open — alert system in progress | 31 Dec 2025 | ### TSC Criteria Testing Results (excerpt) | Criterion | Control Tested | Design | Operating Effectiveness | Evidence | Result | |:---:|:---|:---|:---|:---|:---| | CC6.1 | CTRL-AC-001 (MFA) | Effective | Effective | Okta config, login logs | Pass | | CC6.3 | CTRL-AC-003 (Access review) | Effective | Exception (5-day delay) | Review reports | Pass w/ exception | | CC8.1 | CTRL-CM-001 (PR reviews) | Effective | Effective | GitHub merge history | Pass | | A1.1 | CTRL-AV-001 (Monitoring) | Effective | Effective | Datadog dashboards | Pass | | A1.2 | CTRL-DR-001 (DR test) | Effective | Not Tested (Q3 gap) | Pending | Fail | | CC9.2 | CTRL-VM-001 (Vendor mgmt) | Effective | Effective | Vendor register, SOC reports | Pass | ## Built-in Validation The skill includes three validation tools that check audit plan completeness, finding severity classification, and evidence organization. The agent runs all three during the audit process. ### What the validators check **Audit Plan Validator:** | Check Category | What It Validates | Severity | |---|---|---| | TSC criteria coverage | All in-scope criteria included in audit scope | ERROR if missing | | Audit period | Matches the engagement period (Type II) or point-in-time (Type I) | ERROR if mismatched | | Auditor independence | Auditor is not auditing their own work | ERROR if not documented | | Sampling methodology | Defined for Type II (population-based sampling) | WARNING if missing | | Schedule | Milestones and timeline included | WARNING if missing | | AICPA standards | References AT-C 105, AT-C 205 | INFO | **Finding Severity Classifier:** | Check Category | What It Validates | Severity | |---|---|---| | Required elements | Each finding has: criteria, condition, cause, effect, recommendation | ERROR if incomplete | | Classification consistency | Severity matches AICPA guidance — Material Weakness (control doesn't exist/fundamentally fails), Significant Deficiency (exists but doesn't operate effectively), Deficiency (minor gap), Observation (improvement) | WARNING if inconsistent | | Root cause analysis | Each finding has documented root cause | WARNING if missing | | Recommendations | Each finding has specific, actionable recommendations | WARNING if missing | **Evidence Organizer:** | Check Category | What It Validates | Severity | |---|---|---| | Evidence mapping | All evidence mapped to TSC criteria and controls | Produces summary table | | Insufficient evidence | TSC criteria with no evidence or weak evidence | WARNING per criterion | | Auditor handoff | Summary table: criterion → control → evidence → test result | Produces handoff document | | Stale evidence | Evidence older than 12 months | WARNING per item | | Completeness | Criteria with no evidence at all | ERROR per criterion | ### Example validation output ``` ======================================================================== SOC 2 Internal Audit — Finding Severity Classification ======================================================================== Findings analyzed: 3 FIND-001 (A1.2): Significant Deficiency [PASS] All 5 elements present (criteria, condition, cause, effect, recommendation) [PASS] Classification consistent — control exists but did not operate effectively during Q3 period FIND-002 (CC6.3): Deficiency [PASS] All 5 elements present [PASS] Classification consistent — minor gap in timeliness, control operated but not within defined timeline FIND-003 (CC9.2): Observation [PASS] All 5 elements present [PASS] Classification consistent — improvement opportunity, no current deficiency in control operation Result: PASS (all classifications consistent with AICPA guidance) ======================================================================== ``` ``` ======================================================================== SOC 2 Internal Audit — Evidence Organization ======================================================================== TSC criteria: 36 Evidence items: 48 Coverage: With evidence: 34/36 criteria (94%) Gaps: [WARNING] A1.2: DR test report — pending (Q3 missed) [WARNING] A1.3: Recovery time logs — incomplete Handoff summary: Generated at output/evidence-summary-for-auditor.md Result: 94% coverage (2 criteria need attention) ======================================================================== ``` The agent runs all three validators during the audit process and produces a comprehensive readiness assessment that tells you exactly whether it's time to engage the external auditor. --- Back to [Skill Library](https://rakenne.app/skills/index.md)