Whether you're preparing for your first SOC 2 audit or entering another annual cycle, the 90 days before your audit window opens are among the most impactful in your compliance calendar. How you use them determines whether you're defending a well-operated program or scrambling to explain gaps.
Month 1: Assess and Inventory (Days 1–30)
Gap assessment against your chosen Trust Service Criteria. Walk through each control in your scope and honestly evaluate: is this control implemented, is it operating as documented, and is there evidence that it's working? This is best done with a fresh eye — either by a third-party advisor or an internal team member not directly responsible for each control area.
Evidence inventory. For Type II audits, you need evidence of controls operating throughout the observation period. What evidence do you have, and what are you missing? Common evidence types: access review records, security training completion reports, penetration test results, vulnerability scan outputs with remediation tracking, change management logs.
Control owner alignment. Every control needs a clear owner who understands their responsibility and the evidence requirements. If control owners are unclear or the responsibilities have shifted, clarify now — not during the audit.
Vendor documentation collection. Auditors will ask for documentation on critical vendors. Pull current SOC 2 reports from your significant subservice providers. If any are missing or expired, request updated reports now.
Month 2: Remediate and Document (Days 31–60)
Address high-priority gaps. Month 2 is your primary remediation window. Focus on gaps that affect control operating effectiveness rather than cosmetic issues — missing evidence, access reviews not performed, training not completed, open vulnerabilities past SLA.
Access review execution. If you're behind on periodic access reviews, execute them now. For user access reviews, pull access lists for critical systems, have system owners or managers confirm appropriateness, and document the review and any remediation.
Policy and procedure review. Auditors will review your policy documentation. Ensure policies are current (not years out of date), reflect actual operations, and are accessible to the employees they govern. Policies that describe processes you don't follow are findings, not protections.
Evidence collection systems. If you're not continuously collecting evidence (audit logs, review records, training completions), establish the collection mechanism and begin gathering retroactive evidence for the observation period where possible.
Training completion. Ensure all required security training has been completed for all in-scope personnel within the required timeframes. Gaps in training completion are common and easy to fix before the audit.
Month 3: Validate and Prepare (Days 61–90)
Internal readiness assessment. Walk through each control area as an auditor would. For each control: can you produce evidence of it operating? Is the evidence dated within the observation period? Does the evidence match the control description in your system?
Management review. Ensure management-level reviews — risk assessments, security program reviews, policy approvals — are documented and dated within the observation period. Management review is a standalone requirement in most SOC 2 frameworks, not just a background activity.
Penetration test (if required or planned). If your scope includes penetration testing, ensure the test is completed, reviewed, and remediation of critical findings is tracked and documented before the observation period closes.
Coordinate with your audit firm. Share your readiness status, discuss scope, confirm the audit timeline, and surface any open questions. Surprises during the audit are much more costly than questions resolved in preparation.
Prepare your team. Anyone who will be interviewed during the audit or who has control responsibilities should understand what the audit involves, what evidence they're responsible for, and who to contact if they receive requests from the auditor.
The Ongoing Readiness Mindset
Organizations that consistently produce clean SOC 2 reports treat compliance as continuous, not cyclical. Controls that operate year-round produce evidence year-round. The 90-day prep period is validation and cleanup — not the time when you start operating the controls.
If this 90-day period feels like starting from scratch, that's the signal to invest in a continuous compliance program that maintains readiness outside the audit cycle.