SOC 2 FAQs
FAQs
Not sure where to start with SOC 2? Here are the common questions we hear from growing tech teams.
You cannot “fail” SOC 2 in the traditional sense, but audits can result in control exceptions. These must be disclosed in the report and may reduce buyer confidence if not addressed properly.
A Type 1 audit often takes 2-4 months, depending on readiness. A Type 2 audit takes longer due to the observation period and can run 6-9 months end-to-end.
Yes. Most SOC 2 audits for UK and European companies are conducted fully remotely. Evidence reviews, interviews, and testing are typically handled online, especially for cloud-based businesses.
At Tempo Audits, we believe in remote-first audits with excellent customer support available every step of the way.
Often, yes. Many US enterprises expect SOC 2 as a baseline trust signal. While alternatives like ISO 27001 may work in Europe, SOC 2 is frequently required for US procurement and security reviews.
SOC 2 is not legally mandatory. However, for SaaS companies selling to enterprise or US customers, it is often a commercial requirement, as many buyers will not proceed without it.
Big 4 firms often charge higher fees because of their brand reputation, larger delivery teams, and more structured audit processes. For some enterprise buyers, that name recognition carries weight. However, many tech companies find that mid-tier or specialist auditors deliver the same assurance with a more practical approach, fewer delays, and better overall value.
The decision depends on your business size, audit budget, and what your potential customers expect.
In terms of audit fees and tooling, yes - but when you include the cost of internal audit resources, probably not. While the audit fee alone may fit within that range, total SOC 2 costs, including internal time, tools, and preparation, usually exceed £30k. Claims below this often exclude significant hidden costs.
The lowest-cost route is a tightly scoped SOC 2 Type 1 audit, focused on essential systems and the minimum Trust Services Criteria needed to meet customer expectations. Avoiding over-scoping and using existing controls effectively makes the biggest difference. It is advisable to consult experienced audit firms or auditors for an informed decision.
The audit alone refers only to the independent auditor’s fee. In the UK and Europe, this usually sits at £10,000-£20,000 for small to mid-sized businesses and £30,000-£100,000+ for larger or more complex environments. It does not include preparation or internal costs.
Sometimes. Many controls overlap, such as access management, logging, and incident response. Typically, there is around 60–70% control overlap. However, evidence still needs to be mapped to SOC 2’s Trust Services Criteria and may require additional context.
No. Automation is not required. Tools can improve efficiency and help collect evidence, but human review remains crucial. Teams still need to confirm that evidence is accurate, complete, and truly reflects how controls operate in practice.
Yes. SOC 2 Type 2 can include multiple systems or services, as long as each one is clearly defined in scope.
You must also provide evidence showing that controls operate effectively across all included systems, not just a subset.
Type 1 readiness verifies control design at a moment in time, while ongoing compliance ensures controls are consistently applied, monitored, and improved between audits.
Yes - especially for fast-moving startups. It demonstrates that controls are in place, giving prospects confidence while you continue building toward Type 2.
Yes. Controls implemented for SOC 2 or Cyber Essentials can often support ISO 27001. However, ISO 27001 requires a formal ISMS structure, risk methodology, internal audits and management reviews, which may not be fully covered by other frameworks.
A SOC 2 report is an independent audit report that shows how effectively your organisation safeguards customer data. It is based on the Trust Services Criteria (TSC) developed by the American Institute of Certified Public Accountants (AICPA).
SOC 2 is not a certification like ISO 27001. It is a detailed report you commission and share directly with customers and prospects. The report is signed by a qualified Certified Public Accountant (CPA) in the US or a CIMA-approved accountant (Chartered Institute of Management Accountants) in the UK and Europe, providing third-party assurance that security controls are properly designed and operating effectively.
Here’s an important clarification: technically, there is no such thing as “SOC 2 certification.” What organisations receive is a SOC 2 report - an attestation, not a certificate.
Unlike ISO 27001, which issues a certificate and badge, SOC 2 delivers a detailed audit report shared with customers and partners.
In practice, everyone still says “getting SOC 2,” and the outcome is the same: credible, independent validation of your security controls.
Absolutely. SOC 2 is recognised globally as a robust security standard.
Geography matters, though. SOC 2 dominates in the US, while ISO 27001 is more common in the UK and Europe. If you sell to American companies, SOC 2 is often non-negotiable. In the US, reports are issued by AICPA-approved CPAs, while UK and European reports come from CIMA-approved firms.
Many of our clients end up pursuing both SOC 2 and ISO 27001, particularly if they're growing internationally. The good news? There's significant overlap in the controls required, so the second one is considerably easier than the first.
SOC 2 audits are carried out by qualified accountancy firms. In the US, this means Certified Public Accountants (CPAs) regulated by the American Institute of Certified Public Accountants (AICPA). In the UK and Europe, audits are delivered by CIMA-approved practices.
These firms employ individual auditors who carry out the assessment. The final SOC 2 report is signed by the firm itself, not the individual auditor, providing institutional accountability and credibility.
When choosing an audit firm, you want to find one that understands tech companies and can move at your pace - not a traditional accounting firm that'll spend six months getting their head around your AWS architecture.
- Build customer trust - SOC 2 shows customers that you take security seriously and have real controls in place to protect their data. It builds trust through transparency.
- Meet commercial requirements - SOC 2 is increasingly required in procurement, especially for US customers and enterprise buyers. For many B2B SaaS companies, deals will not close without a SOC 2 report.
- Strengthen security in practice - SOC 2 is not just a badge. The process forces clearer policies, consistent controls, and auditable processes, leading to stronger access management, incident response, and vendor oversight. This reduces real operational risk.
No, self-assessments identify gaps; only a licensed CPA can issue a valid SOC 2 report.
Controls related to your chosen Trust Services Criteria. Your auditor can confirm exact requirements.
Not necessarily. Internal teams can manage prep if they have sufficient knowledge, but often bring in consultants to support., Auditors can advise on mapping and evidence, as well as readiness.
SOC 2 is built around the Trust Services Criteria (TSC). There are 5 of them:
- Security (mandatory): Protects systems against unauthorised physical and logical access. Covers access controls, encryption, network security, and incident response. Every SOC 2 audit includes security. It’s non-negotiable.
- Availability (optional): Your system is available for operation and use as committed or agreed. Relevant where uptime or SLAs matter.
- Processing integrity (optional): Processing is complete, accurate, timely, and authorised. It’s important when data accuracy is critical.
- Confidentiality (optional): Confidential information is protected as agreed. Relevant for sensitive business data.
- Privacy (optional): Personal data is handled in line with privacy commitments. Relevant when privacy is a key customer concern.
Which criteria you include depends on your business and customer expectations. Most tech companies start with security only, then add others as needed. Choose carefully - each additional criterion adds controls, audit effort, and cost.
Readiness is internal prep, which can be delivered internally or by 3rd party consultants (who don’t need to be auditors); the formal audit produces the official SOC 2 report by an independent CPA.
Both ISO 27001 and SOC 2 are robust security standards, but they come from different traditions and work differently in practice.
Geography and market expectations: ISO 27001 is the dominant standard in Europe, while SOC 2 prevails in the US. If you mainly sell in Europe, ISO 27001 may be the better fit. If you sell to American companies, SOC 2 is often expected.
Certification vs attestation: ISO 27001 results in a certificate issued by an accredited certification body, which you can publicly display. SOC 2 results in an audit report issued by a CPA (Certified Public Accountant) or accountancy practice. It is shared confidentially with customers on request.
Who does the auditing: ISO 27001 audits are carried out by accredited certification bodies. SOC 2 audits are performed by accountancy firms - CPAs in the US and CIMA-approved firms in the UK. At Tempo Audits, we can deliver both.
Audit approach: ISO 27001 follows a more structured, standardised audit process with defined audit days. SOC 2 is more flexible, with scope and testing tailored to your controls and environment.
Controls framework: ISO 27001 uses a defined set of Annex A controls assessed for applicability. SOC 2 is principles-based, using the Trust Services Criteria, with controls designed to fit your business.
Neither standard is inherently better. The right choice depends on your market and customers, and many growing tech companies adopt both as they scale internationally.
Different audiences, different purposes.
SOC 1 is specifically for service organisations that handle financial reporting for their clients. Think payroll processors or claims administrators. It focuses on controls relevant to financial statements and is used by auditors assessing their clients' financial reporting.
SOC 2 is about security, availability, processing integrity, confidentiality, and privacy. It's designed for technology companies and service providers where data security matters. If you're a SaaS company, SOC 2 is almost certainly what you need.
If someone's asking you for a SOC 1 report and you're a tech company, they've probably made a mistake. Point them towards SOC 2.
Not exactly. There are different outcomes, and they are not all equal. Your auditor will issue one of the following opinion types:
- Unqualified opinion (clean report): All controls are properly designed and operating effectively. This is the ideal outcome.
- Qualified opinion: Most controls work, but some exceptions exist. The report explains what failed and why. You still receive a report, but customers may ask questions.
- Adverse opinion: Significant control failures. This is rare and damaging.
- Disclaimer of opinion: The audit could not be completed, usually due to insufficient evidence.
In practice, good audit firms work with you during the audit to identify issues early. If something's not working, you'll typically have a chance to remediate it before the report is issued. That's why choosing an auditor who's collaborative rather than just box-ticking matters.
No, SOC 2 isn't a legal requirement in the UK, Europe, or the US. However, depending on your industry and the type of data you handle, other regulations might apply, like GDPR in Europe or HIPAA if you're dealing with healthcare data in the US.
SOC 2 does not replace legal obligations, but it demonstrates many of the controls that support compliance. In practice, SOC 2 is driven by commercial demand - what customers expect and procurement requires.
Type 1: Point-in-time only. No minimum period required - it's a snapshot of a single day.
Type 2: Minimum 3 months in year 1, though 12 months is standard practice. In your first year, you might do a 3 or 6-month period to get a report in hand quickly, then extend to annual audits going forward.
The period you choose affects how long the report remains useful. A 12-month report gives you a full year of coverage and is generally more impressive to customers than a 3-month report.
Preparation time varies by organisation size and security maturity. Most companies should budget 3-12 months to design, implement, and document controls.
The assessment window for a first-year SOC 2 Type 2 is a minimum of 3 months, though a full-year period is recommended later to maximise report value.
The audit phase itself typically takes 2-4 weeks, depending on complexity.
A word on GRC platforms: GRC platforms can significantly speed up the process by automating evidence collection and tracking controls, making them a worthwhile investment for many tech companies.
Preparation time
Preparing for a SOC 2 audit typically takes:
- Small tech companies (10-30 people): 3-6 months
- Medium tech companies (30-100 people): 4-8 months
- Larger organisations (100+ people): 6-12 months
Timelines depend largely on your starting point. Organisations with established security practices and clear documentation usually progress faster, while those building controls from scratch should plan for the longer end of these ranges.
The audit process
SOC 2 comes in two types:
- Type 1 is a point-in-time assessment. It checks whether controls are properly designed on a specific date. It’s faster and cheaper, but doesn’t prove controls operate over time. Fewer buyers accept it now.
- Type 2 assesses both design and operating effectiveness over time. The minimum period is 3 months, though most companies choose 12 months. The typical path: implement controls, operate them for the chosen period, then complete the audit. Many start with a shorter first-year Type 2, then move to annual audits.
Book a call
No forms, no faff – just a conversation and a quote. Prefer to skip straight to it? Fill out the application form and we'll get moving.
Alternatively, if you have all the details,
fill out this form here.