Movalo
Need support? Contact Sales
All frameworks
Service organizations

SOC 2, evidence-ready.

An AICPA attestation that a service organization's controls actually operate as described. The audit is your CPA firm's. The control environment underneath it is ours.

What SOC 2 actually is.

SOC 2 is an attestation, not a certification. A CPA firm issues a report saying that a service organization's controls, mapped to the AICPA's Trust Services Criteria, are designed (Type I) or operating effectively (Type II) over a defined window. The report is then handed to customers and prospects as third-party proof.

Five Trust Services Criteria are available: Security is mandatory, the other four are scoped in by relevance. Most service orgs include Security and Availability; Confidentiality if they handle proprietary customer data.

Timing matters. Type I is a point-in-time snapshot, typically a 4 to 8 week engagement. Type II requires an operating window, usually 6 to 12 months, plus the audit. A first SOC 2 Type II is therefore 9 to 18 months from kickoff.

Security

Required. Controls protecting against unauthorized access.

Availability

Optional. Uptime, performance, disaster recovery.

Confidentiality

Optional. Protection of information designated confidential.

Processing Integrity

Optional. Completeness, accuracy, timeliness of processing.

Privacy

Optional. Collection, use, retention, and disclosure of personal information.

Who has to comply.

No regulator requires SOC 2, but enterprise customers increasingly do. Service organizations that touch customer data are the standard audience:

What we implement.

SOC 2 evidence is mostly continuous: logs, screenshots, change tickets, access reviews, captured across the audit window. We design the environment so evidence is a byproduct, not a fire drill.

Logical access

MFA everywhere, role-based access, quarterly user access reviews, joiner/mover/leaver process tracked end-to-end.

Change management

Every change ticketed and reviewed, code merged via peer review, infrastructure changes through IaC with approval gates.

Monitoring and IR

Centralized logging, alerting on anomalous access, IR runbooks tested annually with documented exercises.

Vendor risk

Vendor inventory with annual reviews. Critical vendors carry their own SOC 2 report or comparable assurance.

Encryption

TLS in transit, AES-256 at rest, key management documented. Data classification tied to handling rules.

Availability and backup

Documented RTO/RPO per system. Backup tested by restore. DR exercise at least annually.

Who owns what.

On us

  • Continuous control operation across the audit window
  • Evidence collection and organization (one folder per criterion)
  • Coordination with your CPA firm during fieldwork
  • Quarterly internal control reviews
  • Vendor risk reviews on technology vendors
  • Incident response, technical containment, and forensics support

On you

  • CPA firm selection and engagement letter
  • Executive sponsor and security committee
  • Customer-facing system descriptions (we draft, you approve)
  • Workforce policies and security awareness training program
  • Final management assertion and signature
  • Distribution of the SOC 2 report to customers

Common pitfalls we see.

Choosing Type II first, with no Type I to show progress.

Type II requires 6 to 12 months of operating evidence. Customers asking for SOC 2 now will not wait. Type I in month one, Type II ready to start at month seven, is a much better story than radio silence for a year.

Scoping in every TSC because customers might ask.

Each Trust Services Criterion adds controls and audit fees. Security is required, Availability is usually expected, the others should be scoped only if they materially apply. Padding the scope makes the audit harder without helping the customer.

Evidence collection that starts the week before audit.

Auditors look for evidence captured continuously across the window. A spike of perfect tickets in week 48 is a finding, not a save. We instrument evidence collection from day one.

Treating the system description as a marketing document.

If the description overstates what the controls actually do, the auditor finds the gap. We write the description from what is real, and only what is real.

Related frameworks.

These usually run alongside or follow SOC 2.

International

ISO/IEC 27001

When the same vendor sells internationally and needs the globally recognized standard.

Healthcare

HIPAA & HITECH

Health-tech vendors typically need both. We map controls across both frameworks once.

Operational baseline

CIS Controls v8

The control catalog the SOC 2 Security criterion maps cleanly into.
Schedule a call

Let's talk for 30 minutes.
No slides.

Bring your last SOC 2 report, your enterprise customer's vendor questionnaire, or your readiness gap analysis. We'll come back with a written assessment, and what it would cost.

  • 30-min discovery, no slide deck
  • Free written assessment, yours to keep
  • A clear proposal, no pressure

Or call us directly: 904-639-0003

Schedule a call →