If you sell SaaS or IT services to US enterprise customers, your procurement team will ask for SOC 2. It is the US market's equivalent of ISO 27001 — proof that your security, availability, and confidentiality controls are operating effectively. Without a Type II report, large US enterprise deals typically stall.
AICPA
American Institute of CPAs — SOC 2 framework owner
Type II
12-month observation period — gold standard
CPA firm
Issued by a licensed US CPA firm, not a certification body
Your company is preparing for or has a SOC 2 audit and your work creates evidence. SOC 2 auditors sample your actual operations — access review records, incident logs, change management tickets, and system configurations. Your job is to follow documented procedures consistently and complete operational evidence (access reviews, incident reports) on schedule.
Sampled
Auditors pull actual records — not just documents
Consistent
Controls must operate every day, not just at audit time
Evidence
Access reviews, incident logs, change tickets are your proof
Quick reference. SOC 2 = SSAE 18 attestation by licensed US CPA firm. AICPA Trust Service Criteria (TSC): Security (CC), Availability (A), Confidentiality (C), Processing Integrity (PI), Privacy (P). Security CC is mandatory in every SOC 2. Type I = point-in-time (design). Type II = period of time (typically 12 months, operating effectiveness). Not a certification — an attestation report.
SSAE 18
Attestation standard
5 TSC
Security mandatory; others optional
Type II
12 months — operating effectiveness
SOC 2 (System and Organisation Controls 2) is an attestation framework developed by the AICPA (American Institute of Certified Public Accountants). It applies to service organisations that store, process, or transmit customer data. Unlike ISO 27001 which is a certification against a standard, SOC 2 is an attestation — a CPA firm reports on whether defined controls are suitably designed (Type I) or effectively operating over time (Type II).
AICPA
American Institute of CPAs — owner
Attestation
CPA report, not a certificate
TSC
Trust Service Criteria — five categories
Required by US enterprise buyers before vendor approvalType II (12-month observation) is the gold standardIssued by a licensed US CPA firm — not a certification body
What’s on this page
01 —What it isUnderstanding SOC 2
The US enterprise market's trust signal for IT and SaaS companies — an independent CPA report on your controls.
SOC 2 is an attestation report issued by a licensed US CPA firm confirming that a service organisation's controls meet the AICPA's Trust Service Criteria (TSC). Unlike ISO 27001 which is a certificate, SOC 2 is a detailed report — it describes your controls, the auditor's testing procedures, and the results of that testing.
Type I assesses whether controls are suitably designed at a point in time. Type II assesses whether controls operated effectively over a period — typically 12 months. US enterprise buyers almost always require Type II.
The five Trust Service Criteria: Security (mandatory in every SOC 2), Availability, Confidentiality, Processing Integrity, and Privacy (included based on your service and customer requirements). Most SaaS companies scope Security + Availability + Confidentiality.
SOC 2 vs ISO 27001: US enterprise buyers typically want SOC 2. European and international buyers typically want ISO 27001. Indian IT companies supplying both markets often hold both. They are not interchangeable — US enterprise procurement teams specifically ask for SOC 2. Confirm what your specific buyer requires.
👥 Illustrative case — details changed for confidentiality
The business
SaaS HR platform Hyderabad · 120 employees, 400+ enterprise clients in US and India
The trigger
Two US enterprise prospects asked for a SOC 2 Type II report before proceeding with procurement. Without it, deals were stalled.
The challenge
They had strong security practices but no formal control framework. Access reviews were informal, change management was undocumented, and incident logs were inconsistent. A CPA firm estimated 6 months to Type II readiness.
Where Clicarity came in
They used Clicarity to manage the SOC 2 readiness programme — each control area was a stage with an owner, evidence requirement, and completion sign-off. When the programme split into Security/Availability and Confidentiality tracks, each ran as a sub-job through the 12-month observation period. Evidence was collected continuously rather than assembled at the last moment.
The result
SOC 2 Type II report issued. Both enterprise deals closed.
Treating the SOC 2 programme as a tracked process rather than an audit preparation exercise changed how we operated. The controls were running, not just documented.
02 —Who needs itIs it right for you?
Do you actually need it? Honest answer.
✓ You need it
SaaS companies with US enterprise customers or prospects
IT services and BPO companies handling US client data
Cloud service providers with US customers
Companies where US enterprise procurement has asked for SOC 2
∼ Consider your market
Companies selling to European enterprises (ISO 27001 may be preferred over SOC 2)
Indian domestic enterprise buyers (ISO 27001 typically preferred)
— ISO 27001 may be more appropriate
Companies whose buyers are primarily European or South Asian
03 —What it requiresWhat is checked
What SOC 2 Type II requires — controls that operate continuously over 12 months.
1
Control environment and risk assessment
Documented control framework addressing the Trust Service Criteria in scope. Risk assessment identifying threats to the controls.
E.g. Security policy, access control policy, risk register with threats to customer data security.
2
Logical access controls — the most-sampled area
Role-based access with minimum privilege. Access reviews conducted regularly (quarterly is typical). Terminated employee access revoked promptly. MFA for privileged access.
E.g. Quarterly access review by system — list of users, roles confirmed or adjusted. Terminated employee access revoked within 24 hours.Most common exception: Quarterly access review not completed on schedule. One missed review quarter can result in a Type II exception.
3
Change management
All changes to systems in scope go through a documented change management process: tested, reviewed, approved before deployment.
E.g. Every code deployment or infrastructure change has a change ticket with: requester, approver, test results, deployment confirmation.
4
Incident response
Documented incident response procedure. Incident log maintained for all security events — including minor ones. Incidents investigated, root cause documented.
E.g. Incident log entry for every security alert: date, description, severity, investigation, resolution, lessons learned.
5
Availability and monitoring
For Availability TSC: uptime monitoring, capacity planning, backup and recovery tested.
E.g. Monthly uptime report. Annual backup restoration test with documented results.
6
Vendor management
Third-party service providers with access to customer data assessed and monitored.
E.g. Approved vendor list. SOC 2 or equivalent from key subprocessors reviewed annually.
7
Continuous evidence collection
The critical difference between SOC 2 and other audits: evidence must be collected continuously, not assembled before the audit. Auditors sample from the entire 12-month period.
E.g. Access review logs from every quarter. Incident log entries from throughout the year. Change tickets going back 12 months.
What inspectors really check
CPA auditors sample evidence from across the 12-month period — not just recent months. Access review records from 9 months ago are as important as last week's. They will ask to see: all access reviews conducted, the incident log, a sample of change tickets, and MFA configuration. One missed quarterly access review is flagged as an exception.
Gap analysis checklist — tick what you already have
Trust Service Criteria scope defined and agreed with CPA firm
Security is mandatory; confirm others with your clients.
Access review process in place — quarterly at minimum
Documented, conducted on schedule, records kept.
Change management process covering all systems in scope
Every change has a ticket with approval and test results.
Incident log maintained — all security events, not just major ones
Updated in real time throughout the year.
MFA implemented for privileged and remote access
System configuration evidence available.
Vendor/subprocessor list with annual security assessment
SOC 2 or equivalent from key subprocessors.
Backup and restoration tested annually — results documented
Not just backup running — restoration confirmed.
0 of 7 complete
04 —Official bodyWho certifies in India
Who issues this in India — and how to verify it.
SOC 2 is issued by licensed US CPA firms — not certification bodies. The CPA firm must be licensed to perform attestation engagements under SSAE 18. The AICPA maintains a directory of firms that can perform SOC examinations.
Not all Indian accounting firms can issue SOC 2 reports. The firm must be a licensed US CPA firm or have a formal alliance with one. Verify before engaging. A report issued by an uncredentialed firm will not be accepted by US enterprise procurement teams.
AICPA — SOC 2 framework
American Institute of CPAs. SOC 2 framework owner and CPA firm directory.
Based on aicpa.org. Actual timelines vary. Confirm with your CB.
SOC 2 Journey
Step 1
Scope selection
Decide which Trust Service Criteria to include. Security is mandatory.
Step 2
Readiness assessment
Engage CPA firm for readiness assessment. Identify control gaps.
Step 3
Gap remediation
Implement missing controls. Document. Begin operating.
Step 4
Observation period begins
12-month period of control operation. Evidence collected continuously.
Step 5
Type II fieldwork
CPA firm samples evidence from across the full 12 months.
Report
SOC 2 Type II issued
Distributed under NDA to customers.
▶Where to begin: Use the checklist in Section 3 to assess your readiness before contacting any CB.
Type I timeline
2-4 months from start
Readiness + gap remediation + point-in-time assessment.
Type II timeline
12+ months observation
Controls must operate for the full period before Type II is issued.
CPA firm
Licensed US CPA firm only
Verify licensing before engaging.
Cost
Varies by scope and firm
Typically higher than ISO 27001. Multiple firms should be quoted.
SOC 2 Type II cannot be rushed. The 12-month observation period is fixed. Starting the observation period with gaps in your access review process means the Type II report will contain exceptions. Remediate all gaps before the observation period begins.
06 —Find certified companiesHow to verify
How to find and verify certified organisations.
SOC 2 reports are confidential — distributed under NDA to customers and prospects. There is no public registry. Service organisations may publish a summary or provide the full report to qualified customers under a signed NDA.
How to verify: To confirm whether any organisation holds a current SOC 2 certification, use the official register. Verify the issuing CB's accreditation at nabcb.qci.org.in.
Decide your Trust Service Criteria scope — then engage a CPA firm for a readiness assessment
Security is mandatory. Add Availability and Confidentiality based on your customer requirements. Get a readiness assessment before starting the observation period.
Implement quarterly access reviews — and actually run them on schedule
This is the most commonly missed control in SOC 2 Type II audits. Set calendar reminders for every quarter. Document and retain every review.
3
Start an incident log today and make it a daily operational habit
SOC 2 auditors sample from 12 months. An incident log that starts 2 months before the audit is obviously inadequate. Start now.
08 —How Clicarity fitsProcess tracking
Good records are the foundation. A process tracker builds them automatically.
Clicarity — Live Job Process Tracker & Bottleneck Identifier
Clicarity doesn't audit your SOC 2 controls. It tracks your SOC 2 readiness programme — ensuring every control area has an owner, evidence is collected continuously, and nothing falls through the gaps over the 12-month observation period.
SOC 2 Type II is not a point-in-time assessment — it covers how your controls operated over a 12-month observation period. Evidence must be collected continuously: quarterly access reviews, incident logs updated in real time, change management records for every system change. In Clicarity, the SOC 2 programme is a job with control areas as stages. When the programme splits across Trust Service Criteria (Security, Availability, Confidentiality), each criterion is a sub-job with its own evidence trail. When they rejoin at CPA fieldwork, the complete 12-month evidence record of every criterion is preserved.
Each control area assigned as a stage with a named owner and evidence type — access review, vulnerability scan, incident log, change record. Nothing is undocumented.
When the programme splits by Trust Service Criteria, each criterion's controls and evidence are tracked independently through the observation period.
Quarterly checkpoints at each stage confirm that controls are operating — not just documented. The CPA firm samples from this operational evidence.
Clicarity's role-based access and timestamped records are themselves evidence of access control — one of SOC 2's most-sampled control categories.
📄 Job tracked in Clicarity
#SOC2-2026 — SOC 2 Type II audit programme — 12-month period
Audit initiated
✎Service organisation
▼CPA firm engaged
✎Trust Service Criteria in scope
📅Observation period start
📅Observation period end
→
Controls inventory
✎Control area
▼Control owner
▼Control documented
▼Evidence owner
✎Evidence type
→
Readiness assessment
▼CPA firm review
✎Gaps identified
#Gaps to remediate
▼Remediation owner
📅Target date
→
Control operation — ongoing
▼Access reviews completed
▼Incident log current
▼Change management followed
▼Vulnerability scans done
📅Quarter
▼ Job splits — each component tracked independently
#SOC2-2026-A
Security & Availability criteria
▼Controls operating
▼Evidence collected
▼No material gaps
#SOC2-2026-B
Confidentiality & Processing Integrity
▼Controls operating
▼Evidence collected
▼No material gaps
▲
Components rejoin as #SOC2-2026 — complete record of every branch, every data point, every sign-off preserved.
CPA fieldwork
▼CPA firm on-site
#Controls sampled
▼All controls effective
✎Any exceptions
📅Fieldwork date
→
Report draft review
▼Management reviewed
✎Management response if needed
▼Report approved
📅Draft date
→
SOC 2 Type II report issued
▼Report type
📅Issue date
✎Report period
▼Distributed under NDA
▼Next audit period
Wastage tracked:▰ Security and Confidentiality criteria tracked through the observation period independently▰ Evidence collected continuously — not assembled at audit time▰ No material exceptions at fieldwork is the goal
ⓘ Fields and stage names are fully customisable. This illustrates a typical SaaS / IT service company — SOC 2 Type II audit setup.
👥 Illustrative case — details changed for confidentiality
The business
SaaS HR platform Hyderabad · 120 employees, 400+ enterprise clients in US and India
The trigger
Two US enterprise prospects asked for a SOC 2 Type II report before proceeding with procurement. Without it, deals were stalled.
The challenge
They had strong security practices but no formal control framework. Access reviews were informal, change management was undocumented, and incident logs were inconsistent. A CPA firm estimated 6 months to Type II readiness.
Where Clicarity came in
They used Clicarity to manage the SOC 2 readiness programme — each control area was a stage with an owner, evidence requirement, and completion sign-off. When the programme split into Security/Availability and Confidentiality tracks, each ran as a sub-job through the 12-month observation period. Evidence was collected continuously rather than assembled at the last moment.
The result
SOC 2 Type II report issued. Both enterprise deals closed.
Treating the SOC 2 programme as a tracked process rather than an audit preparation exercise changed how we operated. The controls were running, not just documented.
Clicarity is a process tracking tool. It does not provide certification, consulting, or audit services.