Safeguard
Compliance

The SOC 2 audit process step by step

A step-by-step breakdown of the SOC 2 audit process — timelines, costs, Type 1 vs Type 2, and what auditors actually check — with a look at where Safeguard fits alongside tools like Secureframe.

Marina Petrov
Compliance Analyst
8 min read

Every SaaS company hits the same wall eventually: a prospect's security team sends a vendor questionnaire, and the first line asks for a SOC 2 report. What follows is a process that most founders and engineering leads have never seen from the inside — a mix of AICPA jargon, evidence collection, and a third-party auditor poking at your access controls. Compliance automation platforms like Secureframe, Vanta, and Drata have turned this into a productized workflow, but the underlying audit mechanics haven't changed: you still need real controls, real evidence, and a licensed CPA firm willing to sign off.

This post walks through the SOC 2 audit process step by step — from scoping to report issuance — with the timelines, costs, and terminology you'll actually encounter. We'll also cover where automation platforms help, where they don't, and how Safeguard fits into the evidence layer that any SOC 2 program ultimately depends on: your software supply chain.

What Is the SOC 2 Audit Process, Exactly?

The SOC 2 audit process is a five-stage sequence — scoping, gap assessment, remediation, observation period, and audit fieldwork — that results in an independent CPA firm's report on your security controls, governed by the AICPA's Trust Services Criteria. Those five criteria are Security (mandatory), Availability, Processing Integrity, Confidentiality, and Privacy; nearly every company scopes for Security alone in their first audit, then adds criteria later as customers demand it.

Unlike ISO 27001, SOC 2 has no certification body and no pass/fail badge — the deliverable is a report, typically 20-60 pages, that describes your controls and the auditor's opinion on whether they're suitably designed (Type 1) or operating effectively over time (Type 2). Platforms like Secureframe popularized the idea of continuous, dashboard-driven compliance, monitoring things like MFA enforcement and employee offboarding in near real time. That reduces the manual screenshot-collection work, but it doesn't replace the auditor relationship — you still pick and pay a CPA firm separately.

How Long Does a SOC 2 Audit Actually Take?

A first SOC 2 Type 2 audit typically takes 6-9 months from kickoff to final report, split roughly into a 4-6 week readiness assessment, 4-12 weeks of gap remediation, a 3-6 month observation window, and 2-4 weeks of auditor fieldwork after the window closes. Companies racing to close an enterprise deal often compress this by starting with a Type 1 report, which only requires a point-in-time review of control design — no observation period — and can be issued in as little as 4-6 weeks after remediation is complete.

The observation period is the part teams underestimate. If your policy says "access reviews happen quarterly" but you only ran one review during a 3-month window, the auditor has nothing to sample. Most first-time SOC 2 programs choose a 3-month observation period to get a Type 2 report out faster, then extend to the standard 12-month period in year two. Automation tools shorten the evidence-gathering side of this timeline; they cannot shorten the calendar time required to demonstrate a control operated consistently.

What Happens During Each Stage of the Audit?

Each stage of the SOC 2 audit process maps to a specific deliverable: scoping defines your Trust Services Criteria and system boundary, the gap assessment (often called a "readiness assessment") compares your current controls against roughly 60-100 individual control points, remediation closes those gaps, the observation period generates evidence, and fieldwork is when the auditor tests samples of that evidence. During fieldwork, a Type 2 audit typically involves the auditor pulling 15-25 samples per control — for example, reviewing 25 pull requests to confirm each had a required approval, or checking 12 months of access-review tickets to confirm quarterly cadence.

Auditors from firms like A-LIGN, Prescient Assurance, Johanson Group, or Sensiba typically request evidence through a portal — either the audit firm's own tool or whatever your compliance platform exports. Response time matters here: a PBC (provided-by-client) list with 80 open items sitting untouched for two weeks is the single most common reason fieldwork slips past its scheduled close date.

Do You Need SOC 2 Type 1 Before Type 2?

No — Type 1 is optional, but roughly 70% of first-time SOC 2 companies start there because it converts a sales blocker into a signed report in 4-6 weeks instead of waiting out a multi-month observation period. Type 1 answers "are your controls designed correctly as of this date?" while Type 2 answers "did these controls operate effectively over the last 3-12 months?" Enterprise buyers with mature security teams will almost always require Type 2 before signing a contract over roughly $50,000 ACV, so Type 1 is best treated as a bridge, not a destination.

If you skip straight to Type 2, budget for the fact that any control gap discovered mid-observation-period forces a restart of the clock for that specific control. A company that fixes a missing MFA requirement in month 4 of a 6-month window either needs a 6-month bridge letter explaining the gap or has to extend the observation period for that control specifically — both outcomes auditors and prospects will ask about directly.

What Does the Auditor Actually Look At?

Auditors test three things for every control: the policy that defines it, the evidence that it ran, and the technical configuration that enforces it — for a code-deployment control, that means your change-management policy document, your pull request history, and your CI/CD pipeline's branch-protection settings, all three, not just one. This is the stage where compliance dashboards and actual technical reality most often diverge: a screenshot showing "branch protection enabled" from three months ago doesn't prove protection was enforced on every merge in between, especially if a repo was added mid-quarter or a rule was briefly disabled to unblock a hotfix.

Software supply chain controls are an increasingly specific line item here. Auditors now routinely ask for evidence covering SBOM generation, dependency vulnerability scanning, and third-party package provenance — driven partly by frameworks like NIST SSDF and executive orders following incidents such as SolarWinds and the 2024 XZ Utils backdoor. A 2025 CPA firm won't accept "we use open source libraries" as an answer; they want to see which scanner ran, on which commit, and what happened to the criticals it found.

How Much Does a SOC 2 Audit Cost?

A first SOC 2 Type 2 audit typically costs $15,000-$50,000 in direct CPA audit fees, plus $7,000-$30,000 per year for a compliance automation platform if you use one — Secureframe's published pricing for smaller companies starts in the low five figures annually, with Vanta and Drata in similar ranges. Total first-year cost, including internal engineering time spent on remediation, commonly lands between $40,000 and $120,000 for a company under 100 employees, with the audit firm fee scaling by criteria count, system complexity, and number of in-scope subservice organizations.

Costs rise fastest when the observation period surfaces control failures late — reworking a control in month 5 of 6 often means paying for an extended engagement letter or a second, shorter observation period the following quarter. Budgeting for a real readiness assessment up front, rather than discovering gaps during fieldwork, is consistently the cheaper path.

How Safeguard Helps

Safeguard focuses on the part of the SOC 2 control set that generic GRC platforms treat as a checkbox: software supply chain security. Where a compliance automation tool confirms that a policy document exists, Safeguard generates the underlying technical evidence — continuous SBOM generation, dependency and container vulnerability scanning, build provenance attestation, and CI/CD pipeline integrity checks — mapped directly to the specific Trust Services Criteria points auditors sample against, such as change management and vulnerability management.

That mapping matters most during fieldwork. Instead of manually screenshotting a vulnerability scanner dashboard for each of the 15-25 samples an auditor requests, Safeguard exports timestamped, control-tagged evidence that shows exactly when a scan ran, what it found, and how it was remediated — evidence that holds up whether you're running a Type 1 readiness check or a full 12-month Type 2 observation period. Teams already using Secureframe, Vanta, or Drata for policy and access-control automation typically run Safeguard alongside it, since those platforms rarely go deep enough into artifact signing, dependency graphs, or build pipeline controls to satisfy an auditor's supply-chain questions on their own.

If you're heading into a SOC 2 audit and your current evidence for "how do you manage third-party and open-source risk" is a paragraph in a policy doc, that's the gap worth closing first — it's one of the fastest-growing categories of auditor follow-up questions in 2025 and 2026 engagements.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.