How to prepare for a SOC 2 audit: a GRC team fieldwork checklist

Audit preparation begins eight weeks before fieldwork, not the day the auditor sends the request list. At eight weeks, confirm scope, criteria, audit period dates, and point-in-time date for Type I. Assign a single audit liaison who owns all communication with the firm and internal control owners.

At six weeks, complete a full evidence refresh. Every control in scope should have current artifacts dated within the audit period or within thirty days of the point-in-time date. Replace expired screenshots, renew vendor SOC reports approaching one year old, and close open remediation tickets that would contradict control descriptions.

At four weeks, conduct a management readiness briefing. Executive sponsors should understand scope, known gaps, remediation status, and expected management representation letter commitments. Surprises at this stage are manageable; surprises during fieldwork are not.

At two weeks, finalize the request log template, confirm auditor portal access, and validate that every control owner has calendar holds during fieldwork. Small logistics failures cause unnecessary delays equal to substantive evidence gaps.

• 8 weeks: confirm scope, dates, liaison assignment
• 6 weeks: evidence refresh and vendor report updates
• 4 weeks: management briefing and gap remediation
• 2 weeks: control owner training and mock requests

Structure evidence folders by Common Criteria reference with subfolders for each control activity. Include a index spreadsheet listing control ID, description, owner, evidence file name, collection date, and audit period coverage. Auditors work faster with clear indexes, which reduces fieldwork duration and your team's disruption.

Name files descriptively: CC6.1_AccessReview_Q1-2026_TicketExport.pdf beats scan001.pdf. Consistent naming conventions prevent duplicate uploads and version confusion when multiple team members contribute artifacts.

Verify evidence integrity. Auditors question screenshots without timestamps, logs exported without source system metadata, and policies with conflicting version dates. Prefer system-generated exports over manual screenshots where possible.

Every control owner should receive a one-page summary of their controls, expected evidence, and how to respond to auditor inquiries. Engineers, HR staff, and finance team members who rarely interact with compliance need plain-language briefings without acronyms.

Conduct a thirty-minute walkthrough with each owner showing where evidence lives and how to retrieve it within fifteen minutes. If retrieval takes longer, fix the repository before fieldwork rather than during it.

Establish escalation rules. Control owners should not independently agree to scope changes or admit control failures. Route auditor questions about design exceptions to the GRC lead and legal questions to counsel.

Two weeks before fieldwork, run an internal mock audit using your auditor's prior-year request list or a standard SOC 2 request template. Select twenty to thirty samples across access, changes, incidents, and vendors. Score pass or fail for each sample and remediate failures immediately.

Time the mock audit. If your team cannot produce requested evidence within twenty-four hours internally, the auditor experience will mirror that delay. Mock audits reveal process bottlenecks, not just missing files.

Document mock findings in a remediation log with owner, due date, and resolution evidence. Auditors appreciate transparency about known issues with documented remediation better than discovering undisclosed gaps during testing.

Prepare a virtual war room with video conference link, shared evidence repository access, and a daily standup schedule. Even remote audits benefit from structured touchpoints rather than ad hoc Slack messages.

Designate backup owners for every primary control owner covering PTO and sick days. Fieldwork scheduled during company holidays or all-hands weeks is a common self-inflicted delay.

Keep a request log tracking auditor requests, submission dates, and response owners. Daily reconciliation ensures nothing falls through cracks when multiple team members respond in parallel.

After testing completes, the auditor issues draft findings for management response. Review each finding with control owners and executive sponsors before submitting written responses. Commit to remediation dates you can meet; missed commitments appear in the final report.

Distinguish between design deficiencies and operating effectiveness exceptions. Design gaps may require policy and configuration changes. Operating exceptions may require process reinforcement and additional training rather than new tools.

Archive the complete evidence package with the final report. Type II programs need prior-period evidence for bridge letters and year-over-year comparisons. Retention of seven years aligns with common legal and audit standards.

Fieldwork preparation is not a one-time project. Assign monthly evidence collection owners for each control frequency so artifacts accumulate before the next season. Teams that treat compliance as continuous report lower finding rates on Type II renewals.

Track auditor request patterns from prior cycles. If access reviews and change samples dominated requests, prioritize those controls in internal monitoring dashboards throughout the year.

Schedule a quarterly GRC review with engineering and operations leadership to surface architectural changes that affect control design before they become audit surprises.

Maintain a lessons-learned document after each fieldwork cycle capturing request types that slowed responses, control owners who need backup training, and tooling gaps that delayed evidence retrieval. Reference it during the next preparation cycle.

Publish an internal fieldwork calendar visible to all control owners showing daily standup times, expected response SLAs for auditor requests, and escalation contacts when primary owners are unavailable.