Build software that passes SOC 2 Type 2 — without a six-month fire drill.
Five Trust Service Criteria, a 12-month observation window, and an auditor with a sampling plan. We architect the evidence pipeline so fieldwork is a confirmation, not an excavation.
Most SOC 2 Type 2 programs are policy theater that collapses under sampling.
The pattern is predictable. A startup buys a compliance platform, ticks 180 boxes, and gets a clean Type 1. Twelve months later the auditor asks for evidence of 25 sampled access reviews, change approvals across the entire window, and proof that quarterly backup restores actually ran. Half the evidence doesn't exist. The CTO spends six weeks reconstructing screenshots from Slack. Exceptions land in the final report. The enterprise deal that triggered the audit slips a quarter while the security team negotiates remediation language with procurement.
- ▸ Terminated employees still appear in Okta or AWS IAM on the auditor's sample date because offboarding is a checklist, not a webhook.
- ▸ Production changes were deployed via console or a forgotten break-glass account with no PR, no ticket, no approver trail.
- ▸ Quarterly backup restore tests are documented in policy but were never actually executed — and the auditor asks for evidence of all four.
- ▸ Vendor SOC 2 reports expired mid-period; the registry is a stale Notion page nobody owns and nobody refreshed.
Architect for the audit on day one — don't bolt it on at month ten.
- STEP-01
Map controls to code, not policies
We translate each Trust Service Criteria control into a concrete engineering artifact: a Terraform module, a GitHub branch protection rule, an IAM policy, a Datadog monitor. Controls without an enforced technical implementation are flagged as policy theater and rewritten.
- STEP-02
Wire evidence collection to CI
Access reviews, change tickets, vulnerability scans, and backup tests emit structured evidence to S3 on a schedule. Drata, Vanta, or Secureframe ingests it. By month three the evidence locker is filling itself without a human chasing screenshots in Slack.
- STEP-03
Lock the change management spine
Every prod change goes through a PR with required reviewers, a linked Jira ticket, automated tests, and a signed deploy. Break-glass paths are logged to a separate audit account. Auditors ask for a sample of 25 changes — you pull them in 10 minutes.
- STEP-04
Run vendor and access reviews quarterly
We script Okta and AWS IAM exports, diff against HRIS terminations, and route exceptions to managers via Slack. Vendor SOC 2 reports get tracked with renewal dates in a single registry. No spreadsheets, no surprise expired reports the week before fieldwork.
- STEP-05
Dry-run the audit at month nine
Three months before fieldwork we pull the auditor's standard request list and execute it against our own evidence. Gaps surface while there's still runway to remediate inside the observation window — not after the auditor has flagged an exception in the report.
# .github/workflows/soc2-evidence.yml
# Emits change management evidence to the audit bucket on every prod deploy.
name: soc2-evidence
on:
push:
branches: [main]
jobs:
capture:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
with: { fetch-depth: 0 }
- name: Resolve PR + approvers
id: pr
run: |
PR=$(gh pr list --state merged --search "${{ github.sha }}" --json number,reviews,author,mergedAt -L 1)
echo "payload=$PR" >> $GITHUB_OUTPUT
env: { GH_TOKEN: ${{ secrets.GH_TOKEN }} }
- name: Assume audit-writer role
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{ vars.AUDIT_ACCT }}:role/evidence-writer
aws-region: us-east-1
- name: Write immutable evidence record
run: |
cat > evidence.json <<EOF
{ "control": "CC8.1", "sha": "${{ github.sha }}",
"pr": ${{ steps.pr.outputs.payload }},
"actor": "${{ github.actor }}", "ts": "$(date -u +%FT%TZ)" }
EOF
aws s3 cp evidence.json \
s3://acme-soc2-evidence/cc8.1/${{ github.sha }}.json \
--acl bucket-owner-full-controlCC8.1 (change management) evidence collected automatically on every merge to main, written to an Object Lock bucket the engineering team cannot delete.
Field FAQ.
→ What's the difference between SOC 2 Type 1 and Type 2, and which one do I actually need?
Type 1 is a point-in-time snapshot — controls exist on the date of the report. Type 2 covers an observation window, typically 6 to 12 months, and tests whether the controls actually operated. Enterprise buyers and federal primes almost always want Type 2 with a 12-month window. Type 1 is useful as a stepping stone if you need a report on the wall in 90 days while the Type 2 window runs.
→ How long does the observation period really take, and can I shorten it?
First-year reports usually run a 6-month window to get something signed faster, then renewals shift to 12 months. You cannot meaningfully shorten observation — auditors need to sample evidence across the period. What you can shorten is fieldwork and report drafting. With evidence automation in place, fieldwork compresses from 8-12 weeks of back-and-forth to roughly 2 weeks of auditor confirmation.
→ Which Trust Service Criteria should I scope into the report?
Security (Common Criteria) is mandatory. Availability is standard for any SaaS with an SLA. Confidentiality applies if you handle customer data under NDA, which is most B2B. Processing Integrity matters for transactional systems — payments, healthcare claims, payroll. Privacy is heavy and we usually defer it unless you're handling consumer PII at scale or already chasing GDPR/CCPA alignment. Scope tightly; every added criterion adds controls and audit hours.
→ Do compliance platforms like Vanta or Drata actually replace an auditor?
No. They replace the screenshot-collection misery and give you a control inventory mapped to evidence. You still need a CPA firm to issue the opinion. The mistake we see is teams treating the platform's green checkmarks as the bar. Auditors will ask questions the platform doesn't — sample 25 terminations, walk through a specific incident, evidence a backup restore test. The platform is plumbing, not a substitute for engineering rigor.
→ How do you handle vendor management without it becoming a spreadsheet graveyard?
We build a vendor registry in whatever system of record you already use — usually a database table or an Airtable — with fields for SOC 2 report URL, expiration, data classification, and risk tier. A scheduled job flags reports expiring within 60 days and opens a ticket. Subprocessors handling customer data get reviewed annually with documented sign-off. The point is to make the next renewal cheap, not to build a compliance product internally.
→ What does evidence collection automation actually look like in practice?
Concretely: a Lambda that exports Okta user lists weekly to an Object Lock S3 bucket, a GitHub Action that records every prod deploy with PR approvers, a Datadog monitor that alerts on backup job failures and files a Jira ticket, a quarterly script that diffs AWS IAM against your HRIS to catch ghost accounts. Each artifact maps to a specific control ID. Auditors get read-only access to the evidence locker and pull samples themselves.
→ Can a SOC 2 report help with federal contracting or is that a separate track?
Different track, but related. Federal work runs through FedRAMP, FISMA, or CMMC depending on the agency and data type. SOC 2 controls overlap meaningfully with NIST 800-53, so the engineering work is reusable — IAM, logging, change management, incident response. As an SDVOSB, we routinely architect systems to satisfy SOC 2 for commercial customers and a NIST 800-171 / CMMC Level 2 baseline for federal customers from the same codebase.
→ What are the most common reasons a SOC 2 Type 2 report comes back with exceptions?
In order of frequency: terminated employees still had access at sample date, a production change was deployed without a documented PR review, a vendor's SOC 2 report expired mid-period and wasn't refreshed, backup restore tests were never actually run despite the policy saying quarterly, and access reviews were performed but not signed by the reviewer. Every one of these is preventable with automation we put in during the first month of engagement.
→ What does engagement with VooStack on a SOC 2 readiness program look like?
Two phases. Phase one is a 3-4 week readiness assessment: we inventory your systems, map controls to existing engineering practices, identify gaps, and produce a remediation backlog with effort estimates. Phase two is implementation — typically 8-16 weeks depending on starting posture — where senior engineers embed with your team to ship the controls, wire up evidence automation, and run the month-nine dry audit before fieldwork begins.
Continue recon.
Compliance Engineering
How we ship SOC 2, HIPAA, and CMMC controls as code, not policy PDFs.
REL-02Audit Outcomes
Real engagements where readiness work compressed fieldwork from months to weeks.
REL-03Readiness Packages
Fixed-scope SOC 2 readiness assessments and remediation sprints with senior engineers.
REL-04Talk To An Engineer
Skip the sales call. Get on the phone with someone who has shipped this.
Stop scrambling at month eleven. Build the audit in from sprint one.
Talk to a VooStack operator. We respond within one business day.