What SOC 2 Type II Actually Requires
SOC 2 Type II is an audit framework developed by the American Institute of Certified Public Accountants that evaluates how a company manages customer data based on five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. Unlike Type I, which evaluates controls at a single point in time, Type II examines whether those controls operated effectively over a period of typically six to twelve months.
The distinction matters enormously. Type I tells you that a company had good security policies on the day of the audit. Type II tells you that those policies were actually followed, consistently, for months. For customers evaluating vendors, Type II provides substantially more assurance that security practices are genuine and embedded in daily operations.
The scope of a SOC 2 audit is defined by the trust service criteria you choose to include. Most companies start with security as the baseline and add availability and confidentiality. At TrueCheck, we opted to include all five criteria from the start, reasoning that the incremental effort was modest compared to the additional trust signal it provides to our customers.
Preparing as a Startup
The biggest misconception about SOC 2 is that it requires enterprise-grade bureaucracy. In reality, the framework is principles-based, not prescriptive. It does not mandate specific tools or processes; it requires that you have controls in place that are appropriate for your organization and that those controls work as intended.
We started our SOC 2 journey when TrueCheck was a 22-person company. The key insight that made it manageable was treating compliance as an extension of good engineering practice rather than a separate workstream. Most of the controls we needed were things we should have been doing anyway: access reviews, change management, incident response procedures, and monitoring.
We designated one engineer as our compliance lead, allocating roughly 40 percent of their time to the effort during the preparation phase. They worked with department leads to document existing controls, identify gaps, and implement missing controls. The total preparation time from kickoff to audit readiness was approximately four months.
Starting early was crucial. The Type II observation period requires controls to be in place and operating for at least six months. Any control implemented after the observation period starts will not be covered in the audit. We recommend beginning the preparation process at least ten months before you want to have a completed report.
Tools That Made It Manageable
We used Vanta as our compliance automation platform, and it was the single most impactful tool in our SOC 2 journey. Vanta integrates with our cloud infrastructure, identity provider, version control, and HR systems to continuously monitor compliance posture and automatically collect evidence. What would have been weeks of manual screenshot collection became an automated, always-current evidence repository.
For access management, we centralized everything through Okta with SCIM provisioning. This gave us a single source of truth for who has access to what, automated de-provisioning when employees leave, and a clear audit trail for access changes. Access reviews that would have taken days to compile manually were reduced to a few clicks.
Our infrastructure runs on AWS, and we leveraged CloudTrail, GuardDuty, and Config for the monitoring and logging controls required by the audit. These services provided the comprehensive audit trails and anomaly detection that auditors expect to see, without requiring us to build and maintain custom monitoring infrastructure.
For policy management, we used Notion to maintain our security policies and procedures in a format that was both auditor-friendly and actually readable by employees. Policies that nobody reads provide zero security value, so we invested time in making them clear, concise, and relevant to daily work.
Common Pitfalls We Encountered
The most painful pitfall was discovering, three months into our observation period, that our change management process had a gap. We required code reviews for all production changes but had not formally documented the requirement or tracked exceptions. The control existed in practice but not in a way that was auditable. We had to restart the observation period for that control after implementing proper documentation.
Another common trap is assuming that having a tool in place means having a control in place. An auditor does not care that you purchased a vulnerability scanner; they care that you run it regularly, review the results, and remediate findings within defined timeframes. The tool is just one component of a complete control.
We also underestimated the effort required for vendor management. SOC 2 requires that you assess the security posture of critical vendors and subprocessors. For a company like TrueCheck that relies on carrier partners, cloud providers, and SaaS tools, this meant evaluating dozens of vendors and maintaining documentation of their security practices.
Finally, employee security training was more involved than we expected. Annual training is the minimum; auditors want to see that training is relevant to each employee's role, that completion is tracked, and that the content is updated to reflect current threats. We ended up building a custom training program rather than relying on generic compliance training vendors.
Timeline and Cost
Our total timeline from decision to completed report was approximately 14 months: four months of preparation, eight months of observation period, and two months for the audit itself and report generation. This is typical for a first-time SOC 2 Type II engagement.
In terms of cost, the audit firm engagement was approximately 45,000 dollars for the first year, which is on the lower end for a Type II audit covering all five trust service criteria. Vanta cost approximately 20,000 dollars annually. Internal labor, primarily the compliance lead's time plus contributions from engineering and operations leads, was the largest cost component.
We estimate the total first-year cost at approximately 120,000 dollars when factoring in internal labor, tooling, and the audit itself. Subsequent years are significantly less expensive because the preparation phase is eliminated and the tools and processes are already in place. We budget approximately 60,000 dollars annually for ongoing compliance.
Ongoing Compliance and What We Would Do Differently
SOC 2 is not a one-time achievement; it is an ongoing commitment. The observation period never truly ends because each annual audit evaluates a new twelve-month window. This means that the controls, monitoring, and evidence collection must operate continuously. Any lapse during the observation period will appear in the audit report.
We automated as much as possible to reduce the ongoing burden. Vanta continuously monitors our compliance posture and alerts us when controls drift out of compliance. Access reviews are scheduled automatically. Evidence collection runs on a weekly basis. The compliance lead now spends only about 10 percent of their time on SOC 2 maintenance.
If we could do it over, we would start the process six months earlier and engage the audit firm during the preparation phase rather than waiting until we thought we were ready. Early auditor input would have caught the change management documentation gap and saved us the painful observation period restart.
We would also invest in compliance automation tooling from day one, even before starting the SOC 2 process. The monitoring, access management, and evidence collection capabilities that SOC 2 requires are genuinely valuable for security regardless of whether you are pursuing certification. Building these habits early makes the audit process almost effortless when you eventually decide to pursue it.