Blog

SOC 2 Readiness Audit: Preparing Your SaaS for Trust Service Criteria

How technology companies can prepare for a SOC 2 audit and what to expect from the process.

← Back to Blog
Published 19 March 2026 · BCERT Editorial Team · 7 min read

SOC 2 (System and Organization Controls 2) is a reporting framework developed by the American Institute of Certified Public Accountants (AICPA) for service organisations — particularly SaaS companies, cloud providers, and managed service providers. A SOC 2 report provides assurance to customers and prospects that a service organisation's controls related to security, availability, processing integrity, confidentiality, and privacy are suitably designed and operating effectively. For many enterprise customers, especially in regulated industries, a SOC 2 Type II report is a prerequisite for vendor approval.

The 5 Trust Service Criteria

SOC 2 is built around five Trust Service Criteria (TSC):

  • Security (CC): The only mandatory category. Covers logical and physical access controls, change management, risk assessment, incident response, and monitoring. Based on the COSO framework and aligned to the AICPA's Common Criteria.
  • Availability (A): Whether systems are available for operation and use as committed. Relevant for SaaS platforms where uptime SLAs matter.
  • Processing Integrity (PI): Whether processing is complete, valid, accurate, timely, and authorised. Most relevant for transaction processing systems.
  • Confidentiality (C): Whether information designated as confidential is protected as committed. Relevant when handling confidential business information for customers.
  • Privacy (P): Whether personal information is collected, used, retained, disclosed, and disposed of in accordance with the organisation's privacy notice and AICPA Privacy Management Framework principles.

Most SaaS companies scope their SOC 2 to Security plus Availability. Adding additional criteria increases audit scope and cost but can provide stronger assurance for specific customer requirements.

Type I vs Type II Reports

There are two types of SOC 2 reports:

  • Type I: Reports on the design of controls at a specific point in time. It confirms that controls are suitably designed to meet the selected criteria, but does not test whether they operated effectively over time. Type I is faster to achieve and is useful as an interim step or for early-stage companies.
  • Type II: Reports on the design and operating effectiveness of controls over an observation period (typically 6–12 months). This is the standard demanded by enterprise customers. It requires that controls be in place and evidence be collected throughout the observation period before the audit begins.

What Auditors Examine and Common Gaps

SOC 2 auditors (CPA firms) test controls by examining evidence over the observation period. Common areas of scrutiny include:

  • Access provisioning and de-provisioning records — is access removed promptly when staff leave?
  • Multi-factor authentication for production systems and privileged accounts
  • Vulnerability management — patch cadence, scan results, remediation evidence
  • Change management — evidence that changes are tested, approved, and reviewed before deployment
  • Vendor risk management — assessments of critical sub-processors
  • Incident response — documented incidents, response timelines, post-incident reviews
  • Background checks for employees with access to sensitive systems

The most common gaps found in readiness assessments are incomplete access reviews, lack of documented change approval processes, and insufficient vendor risk documentation.

How BCERT Gap Analysis Helps

A SOC 2 readiness gap analysis by BCERT maps your existing controls against the selected Trust Service Criteria before the observation period begins. We identify which controls are missing or insufficient, prioritise remediation by risk and effort, and provide a clear implementation roadmap. Starting your observation period with controls already in place means you collect clean evidence from day one — reducing the risk of qualified opinions and accelerating your path to a clean Type II report.

Ready to get certified?

Visit bcert.uk or contact us at info@bcert.uk to discuss SOC 2 readiness.

Request a Gap Analysis →