SOC 2 Audit Preparation Guide: What to Do 30 Days Before Fieldwork
You've spent 6-12 months on readiness. Now the auditor wants a kickoff call. This is the guide for the last 30 days before fieldwork — how to pass cleanly on the first attempt, what auditors actually sample, and the common landmines that surprise companies on their first SOC 2.
If you're earlier in the journey, start with What is SOC 2? or the SOC 2 Compliance Checklist.
What a SOC 2 auditor actually does
Your auditor is a CPA firm licensed by the AICPA. They conduct four phases:
- Planning — understand scope, risks, control environment
- Fieldwork — test controls by examining evidence, interviewing staff, sampling transactions
- Reporting — draft report, discuss findings, resolve disputes
- Issuance — final signed report
For a Type 2 with a 6-month window and ~80 controls, fieldwork typically runs 3-5 weeks of auditor time (mostly remote) spread over a 6-8 week calendar window.
What they sample
This is where teams underestimate. Auditors don't just check that a control exists — they pull evidence across the observation period.
Examples of what a Type 2 auditor samples for a 6-month window:
| Control area | Sample size |
|---|---|
| Access reviews | 2-3 quarters' reviews — full list of users each time |
| Termination access revocation | 5-15 terminated employees — each with evidence of full access removal |
| Change management | 25-40 production changes — each with review approval, merge record, deployment log |
| Backup restoration | 2-4 restore tests with timing and outcome |
| Vulnerability patching | Sample of 20-30 CVEs with identification date, priority, fix date |
| Security training | Training completion roster for every employee |
| Incident response | All P1/P2 incidents + at least 1 tabletop exercise |
| Vendor reviews | 10-20 critical vendors with current SOC 2 / ISO 27001 evidence |
| Monitoring alerts | 20-40 security alerts with response records |
| Onboarding | 5-10 newly hired employees with full onboarding evidence |
If you only have evidence for the last 2 weeks, your audit fails. This is the #1 reason Type 2 audits surface exceptions — companies went into observation mode late.
The 30-day pre-audit sprint
Week 1: internal audit pass
- Pull evidence for every control, as if you were the auditor
- Spot check: is there a gap in any month of the observation period?
- Validate access reviews happened on schedule (monthly or quarterly)
- Verify policy signatures are current (all employees)
- Confirm training completion for every active employee
- Check change management audit trail end-to-end for 5-10 random changes
Week 2: remediate what's wrong
- Any missing evidence: regenerate it if possible, document exceptions if not
- Any stale policies: re-review, re-sign by owner
- Any overdue access reviews: complete and document
- Any un-done training: push completion now (better late than missing)
- Any open risks that should be closed: close them
Week 3: organize deliverables
- Control matrix — every control mapped to responsible party + evidence location
- Policy library — latest versions in one place, accessible to auditor
- System description — narrative of your service, infrastructure, subservice organizations
- Risk register — live document with current risks + treatments
- Vendor list — with SOC 2 / ISO 27001 evidence for each critical vendor
- Evidence request list from auditor — confirm they have what they need, in their preferred format
Week 4: kick off
- Walkthrough call with auditor — who owns what, cadence, escalation
- Secure evidence sharing channel (auditor portal, not email attachments)
- Internal war-room set up — single point person coordinating auditor requests
- Answer backlog — anticipated questions prepped with draft responses
The 5 most common exceptions (and how to avoid them)
Analyzed across European SaaS SOC 2 Type 2 audits 2024-2026:
1. Access reviews not completed on time
Exception: "Q3 access review evidence dated 15 days after quarter-end."
Fix: calendar-based reminders, auto-tickets at quarter boundary, platform-driven workflow (like Matproof) instead of spreadsheet.
2. Terminated user access not removed within SLA
Exception: "3 of 12 terminated users retained access for > 24h post-termination."
Fix: offboarding automation — ideally SSO-integrated so access revocation is central, not system-by-system.
3. Production change without documented review
Exception: "Commit abc1234 to main on June 12 has no recorded review."
Fix: enforce branch protection; exception process for emergencies with retro documentation.
4. Training not completed by all employees
Exception: "4 of 47 employees did not complete annual security training."
Fix: quarterly verification; escalation to manager after 30 days.
5. Missed backup restore test
Exception: "No evidence of Q2 backup restore test."
Fix: calendar-based, owned by specific person, evidence stored in compliance platform.
If you pass without these five, you pass cleanly.
The management assertion
Before the auditor does fieldwork, your CEO (or equivalent) signs a management assertion letter stating:
- The system description is fair
- The controls listed were in operation throughout the period
- The controls were suitably designed to achieve the criteria
This is serious — it's an executive attestation. The auditor tests whether your assertion is accurate.
Prep the CEO for this by having:
- Clean system description they can actually read
- Executive summary of controls + any known weaknesses
- Clear picture of any exceptions you expect
Dealing with exceptions gracefully
No Type 2 report is perfect. Most first-time Type 2 reports have 3-8 exceptions. What matters is the materiality — exceptions don't prevent report issuance, they're noted in the report.
When the auditor identifies an exception:
- Don't argue reflexively — ask them to explain, listen
- Clarify facts — is the evidence they think is missing actually elsewhere?
- Document the remediation — when you noticed, what you did, what you've changed to prevent recurrence
- Track for next year — every exception in Year 1 should be closed by Year 2 fieldwork
Customers reading the report care more about how you respond to exceptions than the fact they exist. "3 exceptions, all remediated with updated controls" reads as "mature company."
Subservice organizations
If you rely on AWS, Azure, GCP, Stripe, or other cloud providers for parts of your service, those are subservice organizations. You need to:
- Identify them in your system description
- Obtain their current SOC 2 / ISO 27001 reports (annual refresh)
- Either "carve out" their controls from your audit or "include" them (inclusion is rare for huge vendors)
- Track any complementary user entity controls (CUECs) they require you to implement — often documented in their bridge letter
Common subservice orgs:
- AWS (carve-out, use their SOC 2)
- GCP (carve-out)
- Azure (carve-out)
- Cloudflare (carve-out)
- Snowflake, Databricks (carve-out)
- Stripe, Plaid (carve-out for those specific services)
- Auth0, Okta (carve-out IdP portion)
What happens after fieldwork
- Draft report — auditor shares for review, you respond to any discrepancies
- Management response (if exceptions) — your formal written response to each
- Final report issuance — typically 2-4 weeks after fieldwork completion
- Start next observation window — immediately, so your next report is continuous
The report is valid for 12 months from the end of the observation period. Most customers want reports less than 6 months old — plan accordingly.
Bridge letters
Between annual reports, you'll issue bridge letters to customers confirming nothing material has changed since the last report. Standard practice. Your auditor provides a template. Update quarterly or as requested.
Red flags auditors hate
Things that will slow or complicate your audit:
- Evidence sent in email attachments (insecure, hard to track)
- Policy files edited without version history
- Missing dates on approvals ("we approved this... sometime")
- Slack screenshots as primary evidence
- Inconsistent names (same person, 3 different email addresses)
- No central system of record — spreadsheet exports with no authority
If any of these apply, you need a compliance platform before you need an auditor.
How Matproof streamlines the audit
In fieldwork, Matproof cuts auditor cycle time 30-50% by:
- Pre-organized evidence per control, date-stamped, tamper-evident
- Auditor portal with read-only access — no email back-and-forth
- Real-time control health dashboards
- Dual-mapped evidence for SOC 2 + ISO 27001 if you're doing both
- EU-hosted with GDPR-compliant processing — important if auditor is US-based
Start your SOC 2 Readiness Assessment to see where gaps exist 30+ days before audit kickoff.
Related reading
- What is SOC 2 Compliance? — fundamentals
- SOC 2 Compliance Checklist — the control list
- SOC 2 Type 1 vs Type 2 — which report
- SOC 2 Compliance Cost Guide — budget
- European SOC 2 Alternative