Most teams treat SOC 2 like a fire drill — three months of scrambling for evidence, one audit sprint, then dormant until next year. We run it as a live program instead. Evidence captured as it happens, controls tracked continuously, and a board-ready report on demand — not on deadline.
SOC 2 is an audit against the AICPA's Trust Services Criteria — Security is required, and you pick which of the other four apply. Type I tests whether your controls are designed correctly on a specific date. Type II tests whether they operated effectively over 3-12 months. Most buyers want to see Type II.
Security is mandatory. Availability covers uptime commitments. Confidentiality covers customer data protection beyond access. Processing Integrity covers transactional systems. Privacy covers PII handling. Most SaaS clients start with Security + Availability + Confidentiality.
Type II requires evidence that controls operated across an audit period — usually 6 months. That means daily access reviews, quarterly vendor checks, monthly change logs, and dozens of other timestamped artifacts. Not a one-time upload.
Only licensed CPA firms can issue SOC 2 reports. Their fieldwork typically takes 4-8 weeks after your audit period ends, and their fees range from ~$15K on the low end to $60K+ for complex scopes. We work with several auditors and can introduce you to firms that fit your stage.
Most SOC 2 programs don't fail because the controls are wrong. They fail because the evidence lives in fifteen places, ownership is fuzzy, and nobody touches the program between audits. By the time the auditor arrives, half the year has to be reconstructed from email threads and Drive folders.
Access reviews in Slack DMs. Vendor questionnaires on someone's laptop. Change tickets in a JIRA nobody archives. The audit period passes and nobody has a single source of truth — so pre-audit becomes an evidence archaeology project.
Who's responsible for CC6.1? The security engineer who left last quarter. Who reviews vendor SOC 2s? "The compliance person" who was actually your ops manager wearing a second hat. Controls without clear owners don't get evidence — they get excuses.
Once the report is signed, the program goes back to dormant. Twelve months pass. New systems get deployed, staff turn over, vendors change — and none of it flows into the compliance record. Next year's audit becomes another scramble.
Our Managed Program treats SOC 2 as continuous operations, not an annual project. You get the dashboard. We do the work behind it. Same platform your auditor sees; same source of truth your team operates against.
A live SOC 2 program produces artifacts continuously — coverage scores that stay current, drift and exceptions caught as they happen, and an evidence package your auditor can pull without waiting on your team. Anonymized samples from real client programs, showing what SOC 2 looks like when it's operated instead of scrambled.
Northwind Health, Inc. · March 2026
| Framework | Finding | Detected | Status |
|---|---|---|---|
| SOC 2 | Two quarterly access reviews overdue (T2 vendors) | 2026-03-04 | Assigned |
| HIPAA | BAA expired for one vendor (renewal in progress) | 2026-03-11 | Tracked |
| PCI DSS | Cardholder data flow diagram out of date | 2026-02-27 | Remediating |
Northwind Health, Inc. · Audit Period 2025-10 through 2026-03
| Control | Evidence Artifact | Timestamp | Source |
|---|---|---|---|
| CC6.2 | Q4 2025 privileged access review · signed & archived | 2025-12-18 09:14 | Adalace |
| CC6.6 | Weekly vulnerability scan reports (13 weeks) | 2025-10-01 → 2026-03-31 | Tenable |
| CC7.1 | SIEM alert triage log · quarterly rollup | 2026-01-05 14:22 | Adalace |
| CC7.4 | Tabletop incident response exercise · executed & documented | 2026-02-11 10:00 | Adalace |
| CC8.1 | Change advisory board minutes · 26 weeks | 2025-10-06 → 2026-03-30 | JIRA |
| CC9.2 | Backup restore test · full recovery drill | 2026-03-22 15:47 | Adalace |
Most teams underestimate this. From the day you decide to pursue SOC 2 to the day you have a signed report in hand, plan on 6–12 months — broken roughly into: 2–6 weeks of readiness work, 3–6 months of evidence collection (the audit period), then 4–8 weeks of fieldwork and report finalization. Through the Managed Program, the audit period feels like business-as-usual because evidence is already being captured continuously.
Type I is a point-in-time snapshot — auditors verify that your controls are designed correctly on a specific date. Type II verifies that those controls actually operated effectively over a period (usually 3–12 months). Most enterprise buyers want to see Type II. We typically recommend going straight to Type II unless you have a hard deadline and need the Type I as an interim deliverable.
The audit itself runs roughly $15K–$60K depending on scope, auditor firm, and Trust Services Criteria included. Readiness work — implementing controls, building evidence, training the team — can be the bigger line item, often $30K–$150K+ if you start from scratch. Through the Managed Program, readiness is folded into the ongoing engagement so you're not paying for it as a separate project every year.