What is SOC 2 compliance? A founder's primer

A prospect's security team emails you a vendor questionnaire with a line near the top that says "please attach your most recent SOC 2 Type II report." You do not have one. The deal is now paused, and you have a week to figure out what the acronym actually means, how to get the report, and how much of next quarter it is going to eat.

This is the primer we wish every founder had before that email landed.

What SOC 2 is

SOC 2 is an independent attestation report, produced by a licensed CPA firm, on the design and operating effectiveness of a service organization's controls over customer data. The acronym stands for System and Organization Controls, report number 2, and the framework is maintained by the American Institute of Certified Public Accountants (AICPA).

A SOC 2 is not a certification. There is no logo, no certificate, no registry. What you receive at the end of the engagement is a PDF, usually fifty to a hundred pages long, containing your auditor's opinion, your management's assertion, a description of your system, and a table of every control tested with the result of each test. Your buyer reads that PDF under NDA. That is the entire deliverable.

The report exists because enterprise procurement teams need a way to evaluate vendors without auditing every single one themselves. SOC 2 is the shared language they use for that evaluation.

Who issues a SOC 2 report

Only a licensed CPA firm can issue a SOC 2 report. This is not a convention, it is an AICPA rule. The engagement is an attestation performed under AICPA attestation standards (AT-C 105 and AT-C 205), and those standards require an independent public accountant.

This matters more than it sounds. A consultancy, a pentest firm, a compliance platform, or a "virtual CISO" cannot issue your SOC 2, no matter how confidently their sales deck implies otherwise. If the firm signing the opinion does not hold an active CPA license in the state where the engagement is administered, the report is not a SOC 2. It is a document that looks like a SOC 2, which is a different thing when a Fortune 500 security team is reading it.

SecurancePro is a licensed CPA firm. We perform SOC 1, SOC 2, and SOC 3 attestations, plus accounting and tax. We do not perform penetration tests, ISO 27001 certification, FedRAMP 3PAO assessments, or HITRUST assessor work. We educate on those topics from an auditor's chair.

Why buyers ask for it

The moment SOC 2 blocks a deal is usually the moment a founder learns what it is. The pattern is predictable: your prospect gets to the end of the sales cycle, the deal gets routed to vendor risk or procurement, and the questionnaire arrives. Somewhere in the top ten questions is "attach your current SOC 2 Type II report."

Enterprise procurement teams ask for it because their own auditors and regulators require them to perform vendor risk management on the software they buy. SOC 2 turns that work from a bespoke assessment of every vendor into a document review, which scales. Our piece on what a SOC 2 report actually tells your buyer walks through the two sections of the report they actually read.

If your product stores, processes, or transmits customer data of any sensitivity, assume a SOC 2 will be asked for before you cross seven figures in ARR. Plan for it before the first questionnaire lands, not after.

SOC 2 Type I vs Type II

There are two flavors of SOC 2, and the distinction is about time.

A Type I report says the controls were suitably designed as of a single point in time. It is a snapshot. The auditor walks through each control once, confirms it is designed to meet the applicable criteria, and signs the opinion. Turnaround from engagement start to issued report is usually two to three months.

A Type II report says the controls were suitably designed and operated effectively over a period of time, typically six to twelve months. The auditor samples evidence throughout the observation window, tests that each control actually ran as described, and reports any exceptions. This is the report enterprise buyers want.

Most companies ship a Type I first as a placeholder, then a Type II once the observation window closes. Our SOC 2 Type I vs Type II post covers the decision in depth, including the cases where skipping straight to Type II is the right call.

The five Trust Services Criteria

A SOC 2 tests your controls against the AICPA's Trust Services Criteria (TSC) — the 2017 TSC with revised points of focus maintained by the Assurance Services Executive Committee — which are grouped into five categories:

• Security, mandatory in every SOC 2. Also called the Common Criteria.
• Availability, add when you make an uptime commitment in contracts.
• Processing Integrity, add when correctness of transaction processing is the product.
• Confidentiality, add when customers entrust non-personal sensitive material to you.
• Privacy, add when a specific customer is asking for it.

Security alone is a complete, defensible SOC 2 report. The other four are additive, and you pick them based on the commitments you make to customers, not on what sounds comprehensive. Our Trust Services Criteria explained piece is the full walkthrough.

What a SOC 2 engagement actually involves

Every engagement we run has the same four phases, whether the company is a ten-person seed startup or a growth-stage SaaS with a thousand employees.

Readiness. A gap assessment against the TSC. We sit with your team, walk through each criterion, and produce a list of policies, controls, and evidence you still need. This is where the real work gets done. Companies that skip readiness and start fieldwork cold pay for it in exceptions later. Our SOC 2 readiness assessment post covers what this actually looks like.

Observation window (Type II only). The period during which your controls have to be running and producing evidence. Typically six to twelve months. No observation window for Type I.

Fieldwork. The auditor tests the controls. Interviews, walkthroughs, evidence sampling, population testing. For a Type II this happens after the observation window closes; for a Type I it happens in lieu of one. See the SOC 2 audit process for the engagement mechanics.

Report. Draft, management review, quality review, issuance. Six to ten weeks from the end of fieldwork. Every annual cycle after the first, the observation window resets and you do it again.

SOC 2 is not a project. It is an annual program with a report attached.

Between annual reports, buyers bridge the gap using a SOC 2 bridge letter, which management signs to assert nothing material has changed since the last report period end.

How long SOC 2 takes and what it costs

Honest ranges, for a growth-stage SaaS with one product:

• Type I from a standing start: four to six months. Two to three of readiness, one to two of fieldwork, one of reporting.
• Type II from a standing start: nine to fourteen months. Three to four of readiness, six to twelve of observation window running in parallel with evidence collection, one to two of fieldwork, six to ten weeks of reporting.
• Annual Type II in steady state: roughly twelve months end to end, timed so the report lands shortly after the observation window closes.

Audit fees run roughly $25k to $60k per year depending on scope, criteria, and firm. Readiness is usually the larger first-year line item for companies building the program from scratch. A compliance platform (Vanta, Drata, Secureframe, and similar) is optional, not required; it can help with evidence collection but it does not reduce the audit fee and it does not replace the CPA firm.

What our process looks like is deliberately built around those timelines so the report is ready when your sales cycle needs it.

Common misconceptions

"SOC 2 is a certification." It is an attestation. Nobody certifies you; a CPA firm opines on your controls. This matters because a certification either exists or does not, while an attestation is a document that can be issued with or without exceptions and is still valid.

"You pass or fail a SOC 2." There is no pass or fail in the usual sense. The auditor issues an unqualified, qualified, adverse, or disclaimer opinion. Unqualified is what everyone wants, and it is what well-run companies receive even when the report lists individual exceptions. A Type II with a handful of minor exceptions and an unqualified opinion is the report most real companies ship.

"Zero exceptions is the goal." A SOC 2 Type II with zero exceptions either means the scope was drawn too narrowly, or the auditor did not look hard. Neither is a good look next to your competitor's report. Real operations produce real exceptions, and the remediation response is what procurement reads.

"A SOC 2 covers everything a buyer cares about." It covers the systems and criteria in scope. If you sell an API product and your SOC 2 scopes only the marketing site, the report is worthless to a buyer evaluating the API.

Related frameworks

SOC 2 is not the only compliance report your buyers might ask for.

• SOC 1 is the financial-reporting cousin, relevant when your service affects your customers' financial statements. Payroll processors, billing platforms, and fund administrators usually need a SOC 1 report. The distinction between management's assertion and the auditor's attestation also shows up in SOX 404(a) vs 404(b) for public filers.
• ISO 27001 is the international equivalent, issued by an accredited certification body rather than a CPA firm. If your buyers are European, Japanese, or Middle Eastern, they will ask for ISO 27001 certification first. Our SOC 2 vs ISO 27001 post covers the decision, including when to do both.
• HIPAA Security Rule is a separate overlay for any company touching US healthcare data. See who the HIPAA Security Rule applies to for the scope question.

A good compliance program picks the frameworks your buyers actually ask for, designs the evidence library once, and maps it to each framework. Running three programs with three document sets is how companies end up paying for the same control five times. Our services page lists where we fit in that picture.

---

If a prospect is asking for a SOC 2 report and you are staring at the email wondering what to say next, get in touch and we will walk through scope, timeline, and whether Type I or Type II is the right first step for your deal.