What are SOC 2 Type 2 controls?

SOC 2 Type 2 controls are the policies, processes, and technical safeguards you map to the AICPA Trust Services Criteria, then run and evidence continuously. In a Type 2 audit, a CPA firm tests both that each control is designed correctly and that it operated effectively across an observation window — typically 3 to 12 months — by sampling logs, tickets, and records from that period.

How are SOC 2 Type 2 controls tested differently from Type 1?

A Type 1 audit tests control design as of a single date — the auditor confirms the control exists and is suitable. A Type 2 audit tests the same design plus operating effectiveness over time: the auditor pulls a sample of instances across the observation period (for example, every quarterly access review in a 6-month window) and checks each one ran as described. Type 2 evidence is therefore a population of dated artifacts, not a point-in-time snapshot.

How many SOC 2 Type 2 controls do you need?

There is no fixed number. The AICPA publishes criteria, not controls. The Security category alone has 33 Common Criteria across CC1–CC9, and one criterion can be met by several controls or one control can cover several criteria. Most SOC 2 Type 2 programs run roughly 60 to 120 controls depending on which Trust Services Categories are in scope and how complex the environment is.

Which Trust Services Criteria does a SOC 2 Type 2 cover?

Every SOC 2 covers Security (the Common Criteria, CC1–CC9). You then add any of four optional categories based on the commitments you make to customers: Availability (A1), Processing Integrity (PI1), Confidentiality (C1), and Privacy (P1–P8). Most B2B SaaS reports scope Security plus Availability and Confidentiality.

SOC 2 Type 2 Controls: What Auditors Test (2026)

SOC 2 Type 2 controls are the policies, processes, and technical safeguards you map to the AICPA Trust Services Criteria — then run and document continuously so an auditor can confirm they actually worked. In a Type 2 examination, a CPA firm tests two things for each control: that it is designed correctly and that it operated effectively across an observation window, usually 3 to 12 months. The proof is a population of dated artifacts (logs, tickets, approvals) sampled from that window, not a single-day snapshot.

This guide covers what counts as a control, how controls map to the Trust Services Criteria, concrete control examples with the evidence auditors sample, and why Type 2 testing differs from Type 1. For a full per-criteria control inventory, see the SOC 2 controls list.

What Counts as a SOC 2 Type 2 Control

The AICPA does not publish a list of SOC 2 controls. It publishes criteria — the 2017 Trust Services Criteria, with revised points of focus issued in 2022. A control is the specific thing you do to meet a criterion. The 2022 revision updated the points of focus that guide control design (governance reporting lines under CC1, vendor-risk evaluation under CC9, privacy breach response) but did not change the criteria themselves.

The criteria split into five categories:

Security — the Common Criteria, CC1–CC9 (33 criteria). Required in every SOC 2.
Availability — A1 series. Service uptime and recovery.
Processing Integrity — PI1 series. Complete, accurate, timely processing.
Confidentiality — C1 series. Protecting information designated confidential.
Privacy — P1–P8 series. How personal information is collected, used, retained, and disposed.

You scope Security plus whichever optional categories match the commitments you make to customers. For how the Common Criteria break down, see SOC 2 common criteria explained and the deeper Trust Services Criteria guide.

Type 1 vs Type 2: the testing difference

The control set is the same. The testing is not.

	Type 1	Type 2
What’s tested	Design only	Design and operating effectiveness
Time covered	One date	Observation window, 3–12 months
Evidence	Point-in-time snapshot	Sampled population across the window
Auditor question	”Is this control suitably designed?"	"Did it run as designed, every time, all period?”

A first-time Type 2 often uses a shorter window (3–6 months); renewals typically cover 12 months so reports are continuous year over year. For the full comparison, see SOC 2 Type 1 vs Type 2 and what a SOC 2 Type 2 report is.

Two controls that look identical on paper test very differently under Type 2. A quarterly access review tested under Type 1 needs one completed review showing the process exists. Under Type 2 with a 6-month window, the auditor expects every review due in that window, each dated and approved — and a single missed quarter is an exception in the report.

Control Examples Mapped to the Trust Services Criteria

Each criterion you scope needs at least one control that meets it. Below are concrete examples per category — the kind auditors in our network see most often — with the control statement you’d write and the criterion it supports.

Diagram showing SOC 2 Type 2 controls grouped by Trust Services Category, each tied to continuous monitoring and customer trust

Mapping of Trust Services Criteria to SOC 2 Type 2 Controls

Below is a side-by-side look at each Trust Services Category, the control objective it supports, and a concrete control example you can adapt.

Trust Services Category	Control Objective	Example Control
Security (CC1–CC9)	Prevent unauthorized access and breaches	Enforce MFA on all admin accounts and review access logs weekly
Availability (A1)	Maintain service uptime and resilience	Conduct monthly backup restores and annual failover drills
Processing Integrity (PI1)	Ensure data is processed accurately and completely	Implement automated data validation and reconcile transaction logs daily
Confidentiality (C1)	Safeguard sensitive information from unauthorized view	Encrypt databases at rest and audit decryption key usage quarterly
Privacy (P1–P8)	Manage personal data throughout its lifecycle securely	Enforce data retention policies and validate deletion requests within a defined SLA

Use these as starting points, then rewrite each to match your systems, owners, and cadence. The next section shows how.

For the full per-criteria inventory of controls and the evidence each one needs, see the SOC 2 controls list. For the access-control category specifically, see SOC 2 security controls (CC6 and CC7).

Where teams have gaps

Before you draft statements, find the criteria you don’t yet meet:

List your in-scope categories and the criteria under each.
Match every criterion to an existing control. Flag any with no owner or no recurring evidence.
Prioritize remediation by audit risk — access deprovisioning and quarterly access reviews are the most common exceptions, so start there.

Writing Control Statements and Gathering Evidence

A control statement turns a Trust Services Criterion into a specific, testable action. Vague statements slow auditors down; precise ones let them sample and move on.

Consider this example:
“IT managers review and approve system access for all users every 90 days.”
Pair that with timestamped logs from your Identity and Access Management (IAM) tool, and you have a clear audit trail.

User Access Recertification triggers quarterly reviews in your IAM system so only current employees retain privileges.
Encryption Enforcement runs automated scans to verify all data at rest uses AES-256 keys and logs each event.
Configuration Change Management captures every system update in your ticketing platform and checks it against baseline settings within 24 hours.

Sample Control Statements With Evidence Types

Below is a quick reference that links sample statements to the evidence you’ll need and where to find it.

Control Statement	Evidence Type	Evidence Source
IT managers review and approve system access for all users every 90 days	Access review logs	IAM system reports
Verify that all databases are encrypted at rest using AES-256 and key rotation occurs quarterly	Encryption status logs	Automated scan reports
Record and validate all configuration changes against the baseline within 24 hours	Change logs	Ticketing system exports

This table shows key statements alongside the proof auditors expect. Use it as a blueprint when building your own controls.

Adapting Control Templates

Every team’s setup is unique. Make these templates yours in four simple steps:

Draft the control text with placeholders for your systems, roles, and timing.
Swap in actual names: your ticketing tool, your security lead, and your review cadence.
Align the review schedule to business rhythms—quarterly, monthly or even weekly.
Run the final version by both tech and compliance to catch gaps early.

Once you’ve customized each statement, map it to the right Trust Services Criteria—Security for access reviews, Confidentiality for encryption, and so on. That way you’ll cover every domain in your audit scope.

Below is a screenshot showing a control statement template paired with its evidence source.

SOC 2 Type 2 control statement template paired with its evidence source for audit readiness

Tips For Effective Evidence Collection

Gathering proof is just as critical as writing the statement itself.

Use automated logs that include user IDs, timestamps and detailed change records.
Assign clear control ownership so every artifact has an accountable party.
Store evidence in a central repository with version control to avoid gaps.
Schedule regular reconciliations to spot discrepancies long before auditors begin sampling.

Learn more about defining internal control procedures in our guide on internal control procedures.

Clear control statements paired with consistent, automated evidence shorten the back-and-forth with auditors: they sample faster when artifacts are dated, named, and tied to a specific control rather than pulled together at the last minute.

Align Evidence With Criteria

Each Trust Services Criterion calls for different proof.
Security controls lean on access logs, incident reports and MFA configuration snapshots.
Availability relies on uptime dashboards, backup logs and failover exercise summaries.

Processing Integrity needs data reconciliation records and transaction validation summaries.
Confidentiality taps into key rotation histories and classification reports.
Privacy audits draw from consent logs, DPIA findings and deletion request records.

Mapping these evidence types to each control statement ensures you know exactly where auditors will look.

Organize Evidence Into Artifacts

Group your artifacts by control and by reporting period.
A simple spreadsheet or compliance platform can track document names, dates and owner notes.
Update this inventory monthly and flag missing items at least four weeks before audit sampling.

This proactive approach eliminates last-minute scrambles and smooths out your SOC 2 Type 2 journey. Continuous monitoring and clear, evidence-backed controls form the bedrock of a successful report.

Implementing Continuous Monitoring for SOC 2 Type 2 Controls

Continuous monitoring is how you generate Type 2 evidence as a side effect of running the system, instead of scrambling to reconstruct it before sampling. Track each control consistently and you catch a missed access review or a stale patch while there’s still time to fix it.

Automating data collection with SIEM, EDR, and vulnerability scanners builds the time-stamped audit trail every assessor expects. Routine scans and periodic recertifications set the baseline you measure against.

SOC 2 Type 2 continuous controls monitoring dashboard showing automated security telemetry and alert tracking

Setting Up Automated Telemetry

Start by choosing your key indicators: failed logins, patch status, configuration changes. These become the widgets on your live dashboard.

Use a SIEM for centralized logging with 6–12 months of retention
Deploy EDR agents to capture endpoint events and trigger alerts
Schedule vulnerability scans weekly or monthly

Not all alerts deserve the same attention. Setting clear thresholds keeps your team focused.

Flag when there are five failed logins in five minutes
Trigger an alert if servers go 30 days without critical patches
Notify when CPU or memory usage breaches agreed limits

The tooling landscape has shifted substantially. The generation of platforms launched in 2024 and 2025 (Vanta, Drata, and newer AI-native GRC tools) now connect directly to your cloud providers, identity systems, and vulnerability scanners to pull evidence automatically against specific control requirements, rather than requiring manual exports. Organizations using these platforms report certification timelines roughly half as long as manual approaches, with compliance automation cutting evidence-gathering effort by 30 to 70% depending on the stack. When evaluating tools, look for direct integrations with your actual systems rather than broad claims, and check whether continuous control monitoring is included or sold separately.

Mapping Controls To Trust Criteria

Every control should tie back to one of the AICPA’s Trust Services Criteria. It clarifies scope and streamlines audit sampling.

Control Type	Trust Criterion	Example Frequency
Access Reviews	Security	Quarterly
Patch Scanning	Processing Integrity	Weekly
Log Retention	Availability	6 Months

This map helps you assign clear ownership, schedule tests, and match evidence directly to audit objectives.

Embedding Controls In Daily Operations

The goal is to make controls run on their own, so evidence accrues whether or not anyone is thinking about the audit. Every scan, review, and alert feeds a live dashboard that flags deviations immediately.

Include monitoring updates in daily standups so gaps surface early
Tie alerts directly into incident response workflows
Review control ownership periodically so no control loses its owner

When controls become part of everyday routines, you stay audit-ready year-round instead of scrambling in the weeks before sampling.

Monitoring And Testing Best Practices

No tool catches everything, so combine automation with human spot checks. A quarterly manual review often catches misconfigurations that scanners miss.

SOC 2 Type 2 demands proof of ongoing operation. Auditors will sample telemetry and process documentation over a 3–12 month window, looking for:

Quarterly access recertifications
Weekly vulnerability scans
Centralized logs retained for 6–12 months

Embedding these tasks into daily work means you’re always ready, not just at audit time.

Centralize SIEM, EDR, and scanner outputs in one dashboard so related events sit side by side instead of in separate tools.

Reacting And Escalation Paths

When an alert fires, a clear process keeps response times tight and impact minimal.

Acknowledge alerts within 15 minutes and assign an owner
Escalate unresolved issues to security leads after 1 hour
Document every investigation step and outcome

Link each control to a team or individual, and capture escalation steps in a playbook. Review on-call rotations quarterly to ensure there are no coverage gaps.

Common Rule Configuration Example:

alert_rules
- name: “Failed Login Spike”
- threshold: 5
- window: “5m”
- action: “email_security_team”

Continuous monitoring shows customers your controls operate reliably, not just at a point in time. With logs and scans always running, the evidence for your next audit is already collected before testing starts.

Auditor Testing And Reporting For SOC 2 Type 2 Controls

It helps to walk through each control the way the auditor will, because that shows you which evidence they need and when they’ll ask for it.

At a high level, SOC 2 Type 2 testing unfolds in three stages:

Design Evaluation confirms your controls are built correctly from the outset.
Operating Effectiveness Checks ensure those controls actually run day in, day out.
Sample Selection is where auditors choose specific data points—logs, transactions, user actions—to test.

Knowing this sequence upfront makes gathering screenshots, reports, and logs routine. You’ll know which artifacts line up with each control and when to pull them.

Auditor Test Steps Explained

First, auditors review your control documentation end-to-end. They’re looking for clear policy language, assigned roles, and dependencies — flowcharts and RACI matrices help here.

Next comes the real-world check: they pull system logs, extracts, and configuration snapshots to prove controls fire as designed.

Finally, sampling. Auditors don’t test every instance of a control — they pull enough from the population to conclude the whole period operated as described. Here’s how they typically approach it:

Define The Population
Pinpoint the system or process and the relevant time frame.
Determine Sample Size
Balance risk considerations with materiality thresholds.
Select And Verify Events
Pull items—entries, transactions, access logs—and check timestamps align with your control objectives.

When testing wraps up, auditors hand you a draft internal control report. This preliminary version outlines:

What they tested
Any exceptions they found
Follow-up actions you should plan

The final SOC 2 Type 2 report then delivers their formal opinion on both design and effectiveness. An unqualified opinion means your controls held up with no significant hiccups.

Report Section	Description
Management Assertion	Confirmation that controls are implemented
Auditor Opinion	CPA’s view on design and ongoing effectiveness
Test Procedures	Detailed steps and sampling methods
Exceptions and Findings	Deviations noted and remediation guidance

Reporting Language And Expectations

Auditors use precise terms to describe outcomes, so get comfortable with phrases like unqualified, qualified, and adverse opinions. A Type 2 report stands out because it shows controls working over time, not just on a single day.

“An unqualified SOC 2 Type 2 opinion means controls operated effectively across the audit period.”

Most clean reports come back unqualified. An exception in a Type 2 isn’t automatically fatal: if a control failed for part of the window, the auditor documents the exception and management can add a response describing remediation. Across the auditors in our network, the most common exceptions are access deprovisioning gaps (a terminated user left active) and skipped or late quarterly access reviews — which is why those two controls deserve the tightest evidence discipline.

Many teams pursue overlapping frameworks soon after their first SOC 2 — ISO 27001, HIPAA, or GDPR are the usual additions. You can trim overlap by aligning calendars and evidence lists across SOC 1, SOC 2, and ISO 27001 audits. Here are a few practical tips:

Correlate evidence-collection timelines with audit windows to avoid last-minute scrambles.
Apply statistical methods early so sample pulls slot into testing without friction.
Communicate deadlines in your project management tool—no one should wonder when evidence is due.
Keep all artifacts in a central repository with clear version history and access logs.

These steps cut back-and-forth with auditors and speed up report delivery. When evidence is organized, auditor questions drop sharply. A clean SOC 2 Type 2 isn’t about surprising auditors — it’s about showing them reliable, repeatable controls.

Choosing Auditors As A Startup Or Mid Market Team

The right auditor understands your industry, knows your tech stack, and works within your budget. Getting the early decisions right — scope, service level, and engagement style — is what separates a smooth audit from a stalled one.

Readiness Consulting: Gap analysis, policy drafting and tooling setup before formal testing
Sampling Fees: Driven by the number of systems, controls in scope and evidence complexity
Bundled Engagements: Discounts for combining Type 1 and Type 2 audits; phased plans spread out costs

Budgeting And Negotiating Audit Fees

Before you start comparing proposals, break down what really moves the needle on price. Auditors typically charge for setup consulting plus per-sample work, so defining each deliverable upfront is non-negotiable.

Lay out exactly which Trust Services Criteria you need, how many users you’ll include and where evidence will come from. Armed with that clarity, you can push for phased engagements or fixed-fee bundles that protect you from surprise line items.

By modeling a multi-year ROI, you’ll shift compliance from “just another expense” to a true sales accelerator.

Factoring Market Cost Trends

Audit budgets have continued to climb, with SOC 2 Type 2 now a standard procurement requirement across SaaS, FinTech, and HealthTech. In 2026, the auditor’s fee alone typically runs $20,000 to $60,000 for mid-size companies. When you add readiness work, a compliance automation platform ($7,500 to $20,000 per year), penetration testing, and internal team time, the realistic all-in first-year spend lands between $35,000 and $100,000 for most small-to-mid teams.

Size matters. A small SaaS company doing a security-only, six-month observation period typically pays $22,000 to $35,000 in audit fees. A mid-market company with a broader scope or complex cloud architecture runs $40,000 to $85,000. Enterprise engagements with all five Trust Services Criteria and large evidence populations regularly exceed $100,000 in audit fees alone. The good news on renewals: companies with established compliance programs and a GRC platform typically see second-year re-audit costs 30 to 50% lower than year one, because the auditor already knows the environment and evidence collection is automated.

Most groups spend four to eight weeks on readiness work plus three to twelve months running controls, so labor, tooling and evidence management remain the biggest cost levers. Sales teams value a strong Type 2 report, which is why many organizations treat compliance as a multi-year investment rather than a one-time expense.

“A well-negotiated SOC 2 Type 2 audit turns compliance into a sales accelerator,” recalls a mid-market CISO.

Balancing In-House And External Expertise

First, map your team’s bandwidth and skills. Small groups often automate evidence collection with SIEM or GRC platforms, then lean on consultants for the initial gap analysis. Mid-market firms might own controls internally but rely on auditors for sampling strategy.

To simplify your choice, ask each prospective auditor:

What industry experience do you bring?
Which Trust Services Criteria do you cover by default?
How do you structure fees for readiness versus sampling?
What tooling and automation is included, and what incurs extra charges?

See our guide on how to choose a SOC 2 auditor for detailed steps and comparison tips.

Evaluating Auditor Fit

Culture and communication style can make or break your timeline. Look for firms that openly share:

Average Time to First Response (Days): Measures responsiveness
Standard Report Delivery Window (Weeks): Helps with scheduling
Client Satisfaction Rating (Out of 5): Gauges overall quality

SOC2Auditors.org aggregates verified data across our directory, spotlighting both Type 1 and Type 2 strengths, pricing and responsiveness. This transparency lets you weigh Big Four options against niche specialists without guesswork.

“Our match with a firm that delivered in 6 weeks saved us $10K in overruns,” says a fintech CTO.

Next Steps

Lay out a clear roadmap and lock in internal checkpoints—readiness, evidence collection and periodic reviews. Vet references, dig into case studies and schedule discovery calls with at least two finalists to test responsiveness and technical depth.

Your Auditor Criteria:

Industry: SaaS
Budget Max: 50000
Timeline: ≤ 6 months

With the right partner, your SOC 2 Type 2 audit becomes more than a checkbox—it turns into a strategic asset that wins deals and builds trust.

Frequently Asked Questions

What is the difference between Type 1 and Type 2 controls?

The controls are the same. Type 1 tests whether they’re designed correctly as of one date. Type 2 tests design and operating effectiveness across an operating period (usually 3–12 months), so the auditor samples a population of dated artifacts instead of a single snapshot.

How many controls does a SOC 2 Type 2 need?

There’s no fixed number — the AICPA publishes criteria, not controls. Security alone has 33 Common Criteria (CC1–CC9), and one control can satisfy several criteria. Most programs run roughly 60 to 120 controls depending on which Trust Services Categories are in scope.

How often should I collect evidence?

Match the cadence to each control’s frequency so the auditor sees proof for the whole period:

Review user access quarterly
Run vulnerability scans weekly or monthly
Retain logs for 6–12 months

What are the most common control failures?

Two show up most often as exceptions: access deprovisioning gaps (a terminated user left active) and skipped or late quarterly access reviews. Undefined control ownership and vague control statements are the process problems behind them.

How does automation help with SOC 2 Type 2?

GRC platforms and SIEM tools collect time-stamped evidence on a schedule and connect each artifact to a control, so you hand auditors a dated, self-documented population instead of exporting screenshots by hand the week before sampling.

For how controls map to the criteria, see the SOC 2 controls list and Trust Services Criteria guides.

Ready to find the right auditor? Compare firms by industry, budget, and timeline with SOC2Auditors. Get tailored matches in 24 hours—no cold calls, no hidden fees. Start here: SOC2Auditors.org

Start here: What is a SOC 2 Type 2 report? — the full explainer on what a Type 2 is, how the observation period works, and what auditors actually test.