Scrutineer.ai
All posts
How-to

SOC 2 Audit Checklist: 12 Steps to Audit-Ready

A practical SOC 2 audit checklist: scope your Trust Services Criteria, map controls, collect evidence, close gaps, run a readiness review, and walk into the audit with everything an auditor will ask for.

By the Scrutineer team

June 2026 · 12 min read

A SOC 2 audit checklist that gets you to audit-ready

This SOC 2 audit checklist breaks the road to your report into twelve concrete steps. The goal is not to pass a single audit week; it is to reach a state where your controls produce evidence continuously and an examination is a formality rather than a fire drill. Work through these steps in order and you will walk into your engagement with everything an auditor asks for already in hand.

One framing note before the list: every item below is about readiness. The accredited auditor still performs the independent examination and issues the attestation. Your job, and what this checklist covers, is to be genuinely ready when they arrive.

Scope and design the controls

1. Define your audit scope

Decide which Trust Services Criteria apply. Security is mandatory; add Availability, Processing Integrity, Confidentiality or Privacy only where you make those commitments. A tight scope keeps the evidence load realistic.

2. Map systems and data flows

Document the systems, data stores and third parties in scope. The auditor's system description draws directly from this, and gaps here surface as confusion later.

3. Map controls to each criterion

For every criterion, write the specific control that satisfies it. "Access is reviewed quarterly" is a control; "we take security seriously" is not. Each control must be concrete enough to evidence.

4. Assign an owner to every control

Controls without owners decay. Name a person accountable for each one and for the evidence it produces.

Collect evidence and close gaps

5. Identify the evidence each control needs

For every control, define what proves it: a policy document, a configuration export, a ticket history, a review log. Vague controls produce vague evidence, so tighten the control until the evidence is obvious.

6. Automate evidence collection

Manual screenshots do not scale and go stale fast. Scrutineer auto-collects evidence from your systems and ties each artifact to the control it supports, so your evidence stays current instead of being reconstructed the week before the audit. The platform supports your readiness; it does not issue the report.

7. Run a gap analysis

Compare the controls you have evidenced against the criteria you scoped. Every control with missing, stale or weak evidence is a gap. Scrutineer flags these automatically so nothing slips through.

8. Remediate the gaps

Fix the design or operation of each flagged control before the audit window opens. A gap found now is a task; a gap found during the audit is an exception in your report.

Verify, observe and engage

9. Document policies and procedures

Auditors expect written policies that match what you actually do. Align your access, change-management, incident-response and risk-assessment policies with your real controls.

10. Run a readiness review

Before engaging the auditor, do a full dry run: confirm every control has a current owner and current evidence. This internal review is the single best predictor of a clean examination. To see how a continuous posture supports this, read about audit readiness.

11. Hold the observation period (Type 2)

For a Type 2 report, your controls must operate cleanly across the audit period. Continuous evidence collection means the period accumulates a complete record rather than gaps you scramble to explain.

12. Engage an accredited auditor

A licensed CPA firm performs the examination and issues the report. Everything in this checklist gets you ready for that step; the auditor's independent opinion is what makes the report meaningful to your customers.

Turning the checklist into a default state

The teams who dread audits treat readiness as a project that restarts every year. The teams who barely notice them treat readiness as a state they hold continuously. The difference is automation: when controls emit evidence as a byproduct of normal operation, this entire checklist stays green between audits. That is the posture worth building toward.

Where this leaves you

A SOC 2 audit checklist is only as good as the discipline behind it: scope tightly, map controls to evidence, close gaps before they become exceptions, and keep evidence current so readiness never lapses. Do that and the accredited auditor's examination becomes the easy part. To keep every item on this list continuously green, explore continuous compliance.

See Scrutineer scrutinize your posture

Connect your stack, and Scrutineer maps your controls to SOC 2, ISO 27001, HIPAA, GDPR and PCI, collects evidence automatically and returns a readiness report with per-control statuses, linked evidence and a prioritized gap list. AI scrutinizes, you decide.

Scrutinize on real evidence, not stale spreadsheets

Scrutineer maps your controls to SOC 2, ISO 27001, HIPAA, GDPR and PCI, collects evidence automatically and scores vendor risk continuously, and returns a readiness report with a prioritized gap list. AI scrutinizes, you decide.

Automated evidence · Per-control statuses · Prioritized gap list

Mapped controls · evidence-linked rationale for every status · an accredited auditor issues the attestation.