SOC 2 Readiness Assessment. No surprises when the auditor arrives.
Engaging an auditor before you are ready is expensive and damaging. Our pre-audit readiness assessment confirms your controls are operating effectively, your evidence is complete, and your system description is accurate before you spend a penny on audit fees.
Six readiness checks. One confident audit entry.
Control Effectiveness Testing
We test each implemented control to confirm it is operating as designed, producing the same evidence an auditor would expect to see during their fieldwork.
Evidence Pack Review
We review your complete evidence pack, checking for gaps, inconsistencies, and documentation that would not satisfy auditor scrutiny, and remediate before the audit begins.
Auditor Simulation
We simulate the auditor experience, walking through your system description, control documentation, and evidence in the sequence an auditor would follow, identifying any issues before they cost you time and money.
Exception Identification
We identify any control exceptions or deviations that occurred during the observation period and assess whether they need to be remediated or can be disclosed with appropriate management response.
System Description Validation
We validate your system description against the actual state of your environment, confirming it accurately reflects your infrastructure, processes, and controls as they will be presented to the auditor.
Readiness Report
A formal readiness report confirming which controls are operating effectively, which require remediation before audit, and a clear recommendation on whether to proceed with auditor engagement.
From evidence collection to readiness decision. Six structured steps.
Evidence Pack Collection
We collect all evidence generated during the observation period, organising it by control objective and confirming completeness before testing begins.
Control Testing
We test each control using the same sampling methodology an auditor would apply, confirming that controls operated consistently throughout the observation period.
Exception Review
We review any control exceptions or deviations, assess their materiality, and advise on whether remediation is required before audit or whether disclosure is appropriate.
System Description Review
We review your system description against the current state of your environment, confirming accuracy and identifying any updates required before the auditor receives it.
Auditor Simulation
We conduct a full walkthrough of your control environment from the auditor perspective, identifying any issues that would result in findings or qualified opinions.
Readiness Decision
We present a formal readiness report and make a clear recommendation on whether to proceed with auditor engagement or address remaining issues first.
Organisations that checked before committing. And got clean reports.
SaaS platform pre-audit validation
A UK SaaS business completed their control implementation and believed they were ready for their Type II audit. Our readiness assessment identified 4 control exceptions and 2 evidence gaps that would have resulted in qualified opinions. We remediated all issues in 3 weeks, and their subsequent audit produced a clean report.
MSP evidence pack review
A UK MSP had collected evidence throughout their observation period but had not reviewed it for completeness. Our readiness assessment identified that their access review evidence was incomplete for 3 months of the observation period. We worked with their team to reconstruct the evidence and confirmed completeness before audit.
FinTech pre-audit simulation
A UK fintech needed confidence before engaging a Big Four auditor for their SOC 2 Type II report. Our readiness assessment and auditor simulation gave their leadership team the assurance they needed. The subsequent audit was completed in 6 weeks with no findings.
Confirm you are ready before your auditor arrives. Three weeks. No surprises.
Our readiness assessment gives you the confidence to engage your auditor knowing your controls are operating effectively, your evidence is complete, and your system description is accurate.