SOC 2 · Continuous Compliance

SOC 2 Type II,
run continuously.

Most teams treat SOC 2 like a fire drill — three months of scrambling for evidence, one audit sprint, then dormant until next year. We run it as a live program instead. Evidence captured as it happens, controls tracked continuously, and a board-ready report on demand — not on deadline.

01 /

What SOC 2 actually requires.

Without the AICPA jargon

SOC 2 is an audit against the AICPA's Trust Services Criteria — Security is required, and you pick which of the other four apply. Type I tests whether your controls are designed correctly on a specific date. Type II tests whether they operated effectively over 3-12 months. Most buyers want to see Type II.

01
The five Trust Services Criteria

Security is mandatory. Availability covers uptime commitments. Confidentiality covers customer data protection beyond access. Processing Integrity covers transactional systems. Privacy covers PII handling. Most SaaS clients start with Security + Availability + Confidentiality.

02
Continuous evidence, not a snapshot

Type II requires evidence that controls operated across an audit period — usually 6 months. That means daily access reviews, quarterly vendor checks, monthly change logs, and dozens of other timestamped artifacts. Not a one-time upload.

03
A CPA firm to issue the report

Only licensed CPA firms can issue SOC 2 reports. Their fieldwork typically takes 4-8 weeks after your audit period ends, and their fees range from ~$15K on the low end to $60K+ for complex scopes. We work with several auditors and can introduce you to firms that fit your stage.

02 /

Why most SOC 2 programs fail the same way.

The predictable failure mode

Most SOC 2 programs don't fail because the controls are wrong. They fail because the evidence lives in fifteen places, ownership is fuzzy, and nobody touches the program between audits. By the time the auditor arrives, half the year has to be reconstructed from email threads and Drive folders.

Evidence sprawl

Access reviews in Slack DMs. Vendor questionnaires on someone's laptop. Change tickets in a JIRA nobody archives. The audit period passes and nobody has a single source of truth — so pre-audit becomes an evidence archaeology project.

Owner drift

Who's responsible for CC6.1? The security engineer who left last quarter. Who reviews vendor SOC 2s? "The compliance person" who was actually your ops manager wearing a second hat. Controls without clear owners don't get evidence — they get excuses.

Dormancy between audits

Once the report is signed, the program goes back to dormant. Twelve months pass. New systems get deployed, staff turn over, vendors change — and none of it flows into the compliance record. Next year's audit becomes another scramble.

03 /

How we run SOC 2 differently.

Continuous, not point-in-time

Our Managed Program treats SOC 2 as continuous operations, not an annual project. You get the dashboard. We do the work behind it. Same platform your auditor sees; same source of truth your team operates against.

/ 01
Every control has an owner
All 64+ TSC controls mapped to real people (or our team). No orphaned controls, no "we'll figure it out later." Owners get automated evidence prompts on the cadence the criteria actually require.
/ 02
Evidence captured live
Access reviews, vendor cadences, change logs, backup tests, incident response drills — captured as they happen, timestamped, and stored in the same system your auditor pulls from. Zero reconstruction.
/ 03
Audit-ready reporting
Board packs, exec summaries, and the auditor's evidence package are all generated from the same live program data. When the audit period ends, the report is a click, not a project.
04 /

What SOC 2 looks like on our platform.

Sample deliverables · Anonymized

A live SOC 2 program produces artifacts continuously — coverage scores that stay current, drift and exceptions caught as they happen, and an evidence package your auditor can pull without waiting on your team. Anonymized samples from real client programs, showing what SOC 2 looks like when it's operated instead of scrambled.

Sample

Framework Coverage · Live

Northwind Health, Inc. · March 2026

Frameworks Tracked · 5
Controls Mapped · 487
Last Sync · 7 min ago
SOC 2 TYPE II
94%
ISO 27001:2022
81%
HIPAA SEC. RULE
68%
NIST CSF 2.0
76%
PCI DSS 4.0
59%
Drift & Exceptions · Last 14 Days
FrameworkFindingDetectedStatus
SOC 2 Two quarterly access reviews overdue (T2 vendors) 2026-03-04 Assigned
HIPAA BAA expired for one vendor (renewal in progress) 2026-03-11 Tracked
PCI DSS Cardholder data flow diagram out of date 2026-02-27 Remediating
Sample

Evidence Package · SOC 2 Type II

Northwind Health, Inc. · Audit Period 2025-10 through 2026-03

Artifacts · 2,847
Controls Covered · 64 / 64
Delivery · Auditor Portal
Control Evidence Artifact Timestamp Source
CC6.2Q4 2025 privileged access review · signed & archived2025-12-18 09:14Adalace
CC6.6Weekly vulnerability scan reports (13 weeks)2025-10-01 → 2026-03-31Tenable
CC7.1SIEM alert triage log · quarterly rollup2026-01-05 14:22Adalace
CC7.4Tabletop incident response exercise · executed & documented2026-02-11 10:00Adalace
CC8.1Change advisory board minutes · 26 weeks2025-10-06 → 2026-03-30JIRA
CC9.2Backup restore test · full recovery drill2026-03-22 15:47Adalace
05 /

SOC 2 questions we hear most.

Straight answers
How long does a SOC 2 Type II audit really take?+

Most teams underestimate this. From the day you decide to pursue SOC 2 to the day you have a signed report in hand, plan on 6–12 months — broken roughly into: 2–6 weeks of readiness work, 3–6 months of evidence collection (the audit period), then 4–8 weeks of fieldwork and report finalization. Through the Managed Program, the audit period feels like business-as-usual because evidence is already being captured continuously.

What's the difference between Type I and Type II?+

Type I is a point-in-time snapshot — auditors verify that your controls are designed correctly on a specific date. Type II verifies that those controls actually operated effectively over a period (usually 3–12 months). Most enterprise buyers want to see Type II. We typically recommend going straight to Type II unless you have a hard deadline and need the Type I as an interim deliverable.

How much does a SOC 2 cost?+

The audit itself runs roughly $15K–$60K depending on scope, auditor firm, and Trust Services Criteria included. Readiness work — implementing controls, building evidence, training the team — can be the bigger line item, often $30K–$150K+ if you start from scratch. Through the Managed Program, readiness is folded into the ongoing engagement so you're not paying for it as a separate project every year.

See All SOC 2 FAQs

Ready to run SOC 2 continuously?

Book a Walkthrough