Safeguard
Compliance

SOC 2 Type II

What is SOC 2 Type II? A clear breakdown of the audit report, Trust Services Criteria, and how it differs from Type I — with real audit examples.

Marina Petrov
Compliance Analyst
7 min read

If you've ever asked a vendor for proof they take security seriously, you've probably been handed a SOC 2 report — but what is SOC 2 Type II, specifically, and how is it different from the shorter Type I version? SOC 2 Type II is an independent audit report, issued under the AICPA's Trust Services Criteria, that evaluates whether a company's security controls were designed and operated effectively over a sustained period — typically three to twelve months. It's the standard that enterprise buyers, procurement teams, and security reviewers ask for before trusting a vendor with their data, code, or infrastructure. Unlike a one-time snapshot, a Type II report is built on evidence collected continuously: access logs, change records, incident tickets, and control test results gathered across the entire observation window, not just a single day.

For software supply chain companies especially, a SOC 2 Type II report has become table stakes — the artifact that turns "trust us" into "here's twelve months of evidence."

What Is SOC 2 Type II, Exactly?

SOC 2 Type II is a formal attestation report prepared by an independent CPA firm confirming that an organization's controls, mapped to one or more of the AICPA's five Trust Services Criteria, operated effectively across an audit period. The five criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy — form the backbone of SOC 2 compliance explained in plain terms: Security is mandatory for every SOC 2 report, and the other four are added based on what a company actually promises its customers. A SaaS company handling customer PII, for example, would typically include Confidentiality and Privacy alongside Security.

The "Type II" designation specifically means the auditor tested operating effectiveness over time, not just at a single point. Auditors sample real evidence: they might pull twenty-five access-provisioning tickets from across the audit period and verify each one followed the documented approval workflow, or review a sample of production deployments to confirm code review and CI checks actually ran before merge. The result is a report with far more evidentiary weight than a design review alone.

How Is SOC 2 Type II Different From Type I?

The core difference is time: Type I assesses whether controls are suitably designed as of a single date, while Type II assesses whether those same controls actually worked, consistently, over a period of months. In the SOC 2 Type I vs Type II comparison, think of Type I as a blueprint inspection — "yes, this control exists and looks reasonable on paper" — while Type II is more like a home inspector who lives in the house for six months and checks whether the plumbing actually holds up under daily use.

Most companies start with a Type I report to prove their control design is sound, then transition to Type II once they have enough operating history to demonstrate consistency. A startup might complete a Type I in month three of its compliance program, then use the following nine months to accumulate evidence for its first Type II. Enterprise customers and security questionnaires increasingly treat Type I as a stepping stone and require Type II before signing a contract, because Type I says nothing about whether controls survived contact with real operations — a missed patch cycle, an over-permissioned service account, or a skipped code review would show up in Type II testing but not in a Type I snapshot.

What Do Auditors Actually Test in a SOC 2 Type II Audit?

Auditors test a defined set of controls against the Trust Services Criteria by sampling operational evidence generated throughout the audit window, not by asking companies to describe their processes. Concretely, this means an auditor examining the Security criterion might request: a list of all employees who had production database access during the period, evidence that access was reviewed quarterly, tickets showing that access was revoked within a defined SLA after termination, and logs proving multi-factor authentication was enforced on every login attempt, not just configured as a policy.

For a company handling source code and build pipelines, auditors commonly test whether every production deployment passed through required approvals, whether vulnerability scan findings above a severity threshold were remediated within committed timelines, and whether infrastructure changes went through change management rather than being pushed directly by an individual engineer. If even one sampled instance fails — say, a deployment that bypassed code review because of a hotfix — the auditor will typically note it as an exception in the SOC 2 audit report, which doesn't necessarily fail the audit but does get disclosed to anyone reading the report.

What's Inside the Final SOC 2 Audit Report?

A completed SOC 2 audit report has four sections: the auditor's opinion, management's assertion, a description of the system, and the detailed testing matrix showing each control, the test performed, and the result. The testing matrix is where the real signal lives — it lists every control the auditor evaluated, the sample size used, and whether any exceptions were found, giving a reader far more diagnostic detail than the one-page opinion letter alone.

Reports are typically marked confidential and shared under NDA rather than published publicly, since they contain specifics about internal security architecture. When a prospective customer's security team requests your SOC 2 report during vendor due diligence, they're usually reading past the opinion letter straight to the exceptions section, because a "qualified" opinion with several noted exceptions tells a very different story than a clean report with zero exceptions across a twelve-month window.

Which Trust Services Criteria Actually Apply to Your Company?

Every SOC 2 report must include the Security criterion, and the other four SOC 2 trust services criteria — Availability, Processing Integrity, Confidentiality, and Privacy — are scoped in based on the promises a company makes to its customers. A company offering an uptime SLA would add Availability; a payments processor handling financial transactions would likely add Processing Integrity to demonstrate transactions are accurate and authorized; a company storing health or biometric data would add Privacy.

Scoping the wrong criteria is one of the most common mistakes companies make early in a compliance program — adding Availability without a meaningful SLA just creates extra audit work with no customer-facing benefit, while skipping Confidentiality when you routinely handle customer source code or secrets leaves a real gap that security-conscious buyers will notice during due diligence.

How Safeguard Helps

Safeguard was built for exactly the operational reality a SOC 2 Type II audit tests: whether security controls actually hold up over time, not just whether they're documented. For software supply chain controls specifically — code review enforcement, build provenance, dependency and vulnerability remediation SLAs, and deployment approval workflows — Safeguard continuously captures the evidence auditors sample against, instead of leaving teams to reconstruct twelve months of access logs and pipeline history the week before an audit.

Safeguard maps directly to the controls auditors test under the Security criterion: it tracks whether every build passed required scans before promotion, flags when vulnerability remediation exceeds committed timelines, and maintains an auditable record of who approved what and when across the SDLC. That means when your auditor asks for a sample of twenty-five deployments and wants proof each one followed policy, the evidence already exists in one place — reducing audit prep from weeks of log-gathering to a focused evidence pull, and helping turn SOC 2 Type II from an annual scramble into a byproduct of how the engineering organization already operates.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.