What Is an SOC 2?

SOC 2 is an attestation standard developed by the American Institute of Certified Public Accountants (AICPA) for service organizations that handle customer data. It evaluates whether a company's systems and controls meet one or more of five trust services criteria: security, availability, processing integrity, confidentiality, and privacy. Unlike a certification, SOC 2 produces an independent auditor's report that describes the organization's controls and the auditor's findings, not a pass/fail seal.

The Two Report Types and What They Cover

SOC 2 offers two report structures, and the distinction matters for both the audited firm and its prospective clients.

SOC 2 Type I assesses the design of controls at a specific point in time. The auditor reviews whether the controls are suitably designed to meet the selected trust criteria as of a particular date. A Type I report answers the question: did the controls look correct on the day we examined them?

SOC 2 Type II evaluates the operating effectiveness of those controls over a minimum observation period of six months, though many firms now seek twelve-month coverage. The auditor tests whether the controls actually functioned as designed throughout that period. A Type II report answers the question: did the controls work consistently over time?

The five trust services criteria are not all required. Security (the common criteria) is mandatory for every SOC 2 engagement. The organization then selects additional criteria based on its business and client expectations. A cloud hosting provider typically adds availability. A payment processor adds processing integrity. A healthcare SaaS vendor adds confidentiality and often privacy. The scope of the audit follows these selections, and the final report states explicitly which criteria were examined.

How the Audit Process Works in Practice

SOC 2 is not a government mandate. It is a market-driven attestation that firms pursue voluntarily, usually because a significant prospect or existing client demands it. The process begins with a readiness assessment, often conducted by the same CPA firm that will perform the eventual audit or by a separate consultant.

During readiness, the firm maps its existing controls against the selected trust criteria. Gaps are documented and remediated. This phase can take two to six months for a firm with mature infrastructure, longer for one building controls from minimal documentation. Common gap areas include incomplete access revocation procedures, missing change management logs, inadequate vendor risk assessments, and incident response plans that exist only as templates.

The formal audit follows. For Type I, the auditor reviews documentation, interviews personnel, and inspects system configurations. For Type II, the auditor adds testing of control operation across the observation period: sampling user access reviews, examining incident tickets, tracing backup execution logs, verifying encryption key rotation. The auditor issues a report with four possible opinions: unqualified (clean), qualified (exceptions noted), adverse (controls inadequate), or disclaimer (scope limitation prevented conclusion).

The report itself contains management's description of the system, the auditor's opinion, and detailed findings. It is typically restricted to specified parties, though some firms now publish redacted versions for marketing purposes.

Why SOC 2 Matters to Compliance and Audit Prep Firms

If you run a firm that prepares clients for SOC 2, ISO 27001, CMMC, or similar attestations, you occupy a specific position in the market. Your clients are usually mid-size service organizations, $5M to $50M in revenue, that have outgrown informal security practices but lack dedicated compliance staff. They need the attestation to close enterprise deals, enter regulated supply chains, or satisfy board requirements.

The business model for SOC 2 prep firms typically combines readiness assessment, policy drafting, control implementation support, and sometimes ongoing monitoring. Revenue is project-based or retainer-based. Project fees for initial SOC 2 readiness range widely based on scope and client maturity, but the engagement is rarely trivial. The client relationship often extends to Type II maintenance, annual re-audit support, and expansion into additional criteria or frameworks.

Your pipeline problem is specific. The need for SOC 2 is event-driven: a client receives a vendor security questionnaire, a prospect's procurement team adds the requirement, or a board member asks the question. These events are predictable in aggregate but hard to time individually. The firm that needs you today may not have known they needed you six months ago. This creates a demand-generation challenge distinct from general IT services marketing. You are not selling a continuous service to a known buyer. You are reaching a buyer who is often in a narrow decision window, comparing you against other prep firms and against the option of handling readiness internally.

Where SOC 2 Prep Firms Misread the Standard

One common error is conflating SOC 2 with ISO 27001 or with a cybersecurity framework like NIST CSF. Each has distinct audiences and evidentiary requirements. A client that needs SOC 2 for a U.S. enterprise procurement process will not satisfy that need with ISO 27001 alone, and vice versa. Firms that sell readiness without clarifying this distinction create failed engagements and reputational damage.

Another specific mistake is underestimating the observation period burden for Type II. A client can achieve Type I with documented intent. Type II requires sustained operation. Prep firms that rush clients to Type II before controls are operational waste audit fees and produce qualified opinions. The correct sequencing is: implement controls, operate them for a minimum period, then engage the auditor for Type II. Some firms now offer "continuous compliance" monitoring to bridge this gap, but that is a separate service with its own pricing and delivery model.

A third error involves the privacy criterion. Many firms add privacy to their scope without understanding that it incorporates the AICPA's privacy management framework, including notice, choice, collection, use, retention, and disposal requirements. This is broader than information security and requires legal and operational review, not just technical controls. Prep firms that treat privacy as a checkbox extension of confidentiality set their clients up for findings.

Related Terms in Regulatory and Compliance

Practitioners working in this space should also understand CMMC, the Department of Defense's cybersecurity maturity model for defense contractors, which shares control overlap with SOC 2 but carries contractual and regulatory enforcement distinct from market pressure. ISO 13485 governs quality management systems for medical device firms, a different audit path but relevant for clients that span healthcare and technology.

FDA 483 Observation and FDA Warning Letter represent enforcement mechanisms in life sciences, distinct from voluntary attestation but often discussed in the same client conversations. BSA / AML compliance sits in the financial regulatory layer, with examination-based oversight rather than market-driven audit. I-9 Audit reflects a different compliance category, employment eligibility verification, but illustrates the breadth of attestation and inspection work that crosses a compliance firm's desk.

If you operate a SOC 2, ISO, or CMMC readiness practice, see how ROI Wire builds regulatory compliance firm pipelines through Email Correspondence, Direct Mail, and Retargeting. Return to the regulatory and compliance glossary hub for more terms used in your field.