SOC 2 Readiness and Compliance FAQs

SOC 2 is an attestation developed by the American Institute of Certified Public Accountants (AICPA). It evaluates how effectively an organisation protects customer data, focusing on the systems, processes and controls in place. The framework is built around five Trust Services Criteria: Security (mandatory), Availability, Processing Integrity, Confidentiality and Privacy. Achieving SOC 2 demonstrates that your organisation is taking the right steps to safeguard sensitive information and meet growing client expectations.

There are two types of SOC 2 reports. A Type I report confirms that, at a specific point in time, the right controls and processes are in place and appropriately designed. A Type II report goes further by testing those controls over a period of time, usually six to twelve months, to demonstrate that they are operating effectively in practice. Many enterprise clients now require Type II reports as part of their due diligence.

Only licensed CPA firms are authorised to issue SOC 2 attestation reports. While LRQA does not conduct the audit itself, we provide comprehensive readiness assessments, consultancy and remediation services. Our role is to ensure you are fully prepared, your documentation is in order, and any gaps are addressed before engaging a CPA to carry out the attestation.

SOC 2 is not a certification. It is an attestation that provides independent assurance about your controls. The outcome is a detailed report that offers clients and stakeholders confidence in how you protect and manage their data. Although not a certification, SOC 2 is often viewed as a market requirement and can be a decisive factor in winning enterprise contracts.

Evidence is central to a successful SOC 2 attestation. Organisations must be able to demonstrate that systems, policies, procedures and controls are documented and consistently applied. This includes technical evidence, such as system logs and monitoring reports, as well as organisational evidence, such as policies, training records and incident response processes. LRQA helps you prepare and manage this evidence effectively, so you are confident when entering the audit.