There Is No Single "Audit Day"
When Priya imagined the SOC 2 audit, she pictured auditors arriving at the office with laptops, reviewing everything while the team stood by nervously answering questions.
The reality: the formal audit is a 6-8 week evidence review process, mostly conducted remotely via an audit portal, with occasional video calls. There's no single day. It's more like a structured collaboration with a structured deadline.
That said, there are distinct phases — and knowing what's coming makes each one manageable.
Phase 1: Audit Kickoff (Week 1)
The observation period is over. Your auditor schedules a kickoff call. This call typically covers:
- Confirmation of scope (systems, people, time period)
- Audit timeline and key milestones
- Evidence request process (which portal or shared folder they'll use)
- Key contacts on both sides
What to prepare:
- Your system description (the text that will appear in the SOC 2 report describing your service and infrastructure)
- Your control matrix (a spreadsheet listing every control, the responsible person, and where the evidence lives)
- Contact information for each control owner
Orion's experience: The kickoff call took 90 minutes. The auditor was thorough but professional. The most important output was an agreed evidence request schedule — three rounds of requests over 6 weeks.
Phase 2: Initial Evidence Requests (Weeks 1-3)
The first evidence request arrives. It's typically the longest — 30-50 items covering policies, system configurations, and initial documentation.
What to expect in the first request:
- All your policy documents (in scope policies, all versions from the audit period)
- System architecture diagram
- User access lists for in-scope systems (point-in-time)
- List of employees who joined and left during the observation period
- Configuration screenshots for key controls (MFA, encryption, etc.)
- Your vendor risk register with vendor SOC 2 reports attached
Orion's response time: Their filing system (described in Post 8) meant they could respond to most items within 24-48 hours. A few items required generating fresh screenshots or pulling reports from the audit period.
Phase 3: Testing Evidence Requests (Weeks 2-5)
As the auditor reviews your initial evidence, they begin sampling specific transactions to test whether controls operated effectively. This is where the audit becomes more targeted.
Typical sampling requests:
- "For the access review completed on October 15, please provide the signed-off review report."
- "For employee [name] who left on November 3, please provide evidence of offboarding completion including system access removal."
- "For pull request #247 deployed on December 8, please provide evidence of peer review approval."
- "Provide the vulnerability scan report for November and the corresponding remediation tracking for all High and Critical findings."
For each sample: The auditor is checking that what you said happened actually happened, and that there's a dated record proving it.
Phase 4: Management Questions (Week 4-6)
Beyond evidence, auditors conduct interviews or send written questions to confirm their understanding of how controls operate.
Sample questions:
- "Walk me through what happens when a new employee needs access to production systems."
- "How does your on-call process work, and how does that relate to your incident response plan?"
- "If the head of engineering left tomorrow, who would be responsible for the quarterly access review?"
These questions are assessing design — whether your controls are structured to actually work. Answers don't need to be polished; they need to be honest and consistent with your documentation.
The Exception Discussion
If the auditor finds a control that didn't operate as documented during the observation period, they'll raise it as a potential exception before finalising the report. This is your opportunity to provide additional context or correcting evidence.
How exceptions typically arise:
- A quarterly access review was completed on November 3, but the observation period started July 1. There's no evidence of a review in Q3.
- An employee was offboarded on October 15. The Okta account was disabled same-day, but their GitHub access wasn't removed until November 2 — 18 days later.
- A pull request was self-merged by a developer on December 12 (branch protection wasn't enforced).
Your response options:
- Provide additional evidence that shows the gap is actually covered (e.g., the GitHub removal was documented in the offboarding checklist, you just didn't initially provide that evidence)
- Acknowledge the gap and provide compensating context (e.g., the PR was self-merged by the most senior engineer for an emergency fix, and a post-deployment review was completed)
- Accept the exception — some findings simply can't be remediated after the fact
Important: Don't try to create evidence retroactively. Auditors can often tell when documentation is being backdated, and it creates a much more serious integrity problem than the original gap.
Phase 5: Report Draft Review (Week 6-7)
The auditor provides a draft report for your review before finalising. This is your chance to:
- Correct factual errors in the system description
- Provide management responses to any noted exceptions
- Confirm that the report accurately describes your controls
Management responses to exceptions: If your report includes exceptions, you can include a management response explaining the finding and the corrective actions you've taken or plan to take. Enterprise buyers often read management responses carefully — a clear, specific, forward-looking response demonstrates maturity.
The Final Report
The issued SOC 2 Type II report is a formal document that includes:
- Section 1: Management's description of your system (your system description)
- Section 2: Management's assertion (management's statement that the description is accurate)
- Section 3: The auditor's independent service auditor's report (the opinion)
- Section 4: The detailed control matrix with testing results
You own the report. You control who sees it. Standard practice: share it under NDA with customers who request it, or post it on your trust portal with NDA gate.
Orion's Final Report
Orion's SOC 2 Type II report was issued 8 months after they started their observation period. The report covered the period July 1, 2024 to December 31, 2024.
Result: Clean report. Zero exceptions.
The London fintech received the report within 24 hours. Their legal team reviewed it. Their security team reviewed it. Two weeks later, the contract was signed.
The deal Priya almost lost two years earlier — because she didn't know what SOC 2 was — was now their largest customer.
What Comes Next
You've received your report. Now what? There are three things that happen next: you share it with customers, you maintain your controls, and you prepare for next year's renewal. We cover all three in the final post.
On exceptions: Orion had zero exceptions. But in my experience, the majority of first-time SOC 2 reports have one or two minor exceptions. This is normal and not disqualifying. What matters is how you address them in your management response and whether you've remediated them before the next audit cycle.